IT Governance Global Status Report2006

The IT Governance Institute

The IT Governance Institute (ITGITM) (www.itgi.org) was established in 1998 to advance international
thinking and standards in directing and controlling an enterprises information technology. Effective IT
governance helps ensure that IT supports business goals, optimises business investment in IT, and
appropriately manages IT-related risks and opportunities. The IT Governance Institute offers original
research, electronic resources and case studies to assist enterprise leaders and boards of directors in their
IT governance responsibilities.
Disclaimer
The IT Governance Institute (the Owner) has designed and created this publication, titled IT
Governance Global Status Report2006 (the Work), primarily as an informational resource for chief
information officers, senior management and IT management. The Owner makes no claim that use of any
of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper
information, procedures and tests or exclusive of other information, procedures and tests that are
reasonably directed to obtaining the same results. In determining the propriety of any specific
information, procedure or test, chief information officers, senior management and IT management should
apply their own professional judgement to the specific circumstances presented by the particular systems
or information technology environment.
Disclosure
Copyright 2006 IT Governance Institute. All rights reserved. No part of this publication may be used,
copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form
by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written
authorisation of the IT Governance Institute. Reproduction of selections of this publication for internal
and non-commercial or academic use only is permitted and must include full attribution of the materials
source. No other right or permission is granted with respect to this work.
IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.590.7491
Fax: +1.847.253.1443
E-mail: [email protected]
Web site: www.itgi.org
ISBN 1-933284-32-3
IT Governance Global Status Report2006
Printed in the United States of America

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

Acknowledgements
The IT Governance Institute wishes to recognise:
The ITGI Board of Trustees
Everett C. Johnson, CPA, Deloitte & Touche (retired), USA, International President
Abdul Hamid Bin Abdullah, CISA, CPA, Auditor Generals Office, Singapore, Vice President
William C. Boni, CISM, Motorola, USA, Vice President
Jean-Louis Leignel, MAGE Conseil, France, Vice President
Lucio Augusto Molina Focazzio, CISA, Colombia, Vice President
Howard Nicholson, CISA, City of Salisbury, Australia, Vice President
Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice President
Frank Yam, CISA, CIA, CCP, CFE, CFSA, FFA, FHKCS, Focus Strategic Group, Hong Kong, Vice President
Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President
Robert S. Roussey, CPA, University of Southern California, USA, Past International President
Emil DAngelo, CISA, CISM, Bank of Tokyo-Mitsubishi, USA, Trustee
Ronald Saull, CSP, Great-West Life and IGM Financial, Canada, Trustee
Erik Guldentops, CISA, CISM, Belgium, Advisor, IT Governance Institute
The ITGI Committee
William C. Boni, CISM, Motorola, USA, Chair
Jean-Louis Leignel, MAGE Conseil, France, Vice Chair
Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium
Tony Hayes, FCPA, Queensland Government, Australia
Anil Jogani, CISA, FCA, Tally Solutions Limited, UK
John W. Lainhart IV, CISA, CISM, IBM, USA
Michael Schirmbrand, CISA, CISM, CPA, KPMG, Austria
Eddy Schuermans, CISA, PricewaterhouseCoopers, Belgium
Ronald Saull, CSP, Great-West Life and IGM Financial, Canada
The PricewaterhouseCoopers Research Team
Floris Ampe, Belgium
Dirk Steuperaert, Belgium
Pieter Breyne, Belgium
Bart Peeters, Belgium
Alain Guillemyn, Belgium
Jill Hassan, Northern Ireland, UK
Claire Peacocke, Northern Ireland, UK
Geraldine OConnor, Northern Ireland, UK
The Survey Development Team
Everett C. Johnson, CPA, Deloitte & Touche (retired), USA
John Lainhart IV, CISA, CISM, IBM, USA
Georges Ataya, CISM, CISA, CISSP, Solvay Business School, Belgium
Serge Yablonsky, CISA, CPA, SYC SA, France
ITGI is pleased to recognise its affiliates and sponsors
ISACA chapters
Bindview Corporation
CA

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

Table of Contents
Executive Summary ..........................................................................................................................5
Project Objective................................................................................................................................5
2005 Survey Sample ..........................................................................................................................5
Global Reach......................................................................................................................................5
How to Read the Report ....................................................................................................................5
Key Findings of the Survey ...............................................................................................................6

Survey Approach and Methodology .................................................................................7

1.1
1.2
1.3

Survey Results..........................................................................................................................11
2.1
2.2
2.3
2.4
2.5
2.6
2.7

Funnel Analysis ......................................................................................................................45

Appendix ......................................................................................................................................47
5.1
5.2

Introduction.............................................................................................................................41
Awareness, Use and Perceptions of COBIT.............................................................................41

Conclusions................................................................................................................................45
4.1

Introduction.............................................................................................................................11
Importance and Benefits of IT ...............................................................................................11
IT Problems and Potential Solutions ......................................................................................17
Awareness and Use of IT Governance Frameworks...............................................................22
Awareness, Use and Perceptions of COBIT.............................................................................28
General IT Profile...................................................................................................................34
Cross-references......................................................................................................................37

COBIT User Sample Survey .................................................................................................41

3.1
3.2

Survey Approach ......................................................................................................................7

Funnel Analysis ........................................................................................................................7
The Sample ...............................................................................................................................7

Compound Problem Index......................................................................................................47

Highlights of Most Important Findings From Large Geographic Areas................................47

Table of Figures .......................................................................................................................48

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

Executive Summary
In 2003, PricewaterhouseCoopers (PwC) was commissioned by the IT Governance Institute to conduct the first
global research into awareness, perceptions and applications of IT governance and IT governance frameworks.
The value of those results made it clear that there would be great benefit in repeating the survey on a periodic
basis, to track trends and uncover new material on these topics.
In 2005, PwC was commissioned by ITGI to conduct the second global survey on IT governance. The survey
was conducted from July 2005 until October 2005 and this report highlights the most significant findings.

Project Objective
The purpose of the research was to reach members of the C-suite to determine their sense of priority and
actions already taken relative to IT governance and their need for tools and services to help assure effective IT
governance.
This high-level objective was translated into the following more detailed objectives:
1. Survey and analyse the degree to which the concept of IT governance is recognised, established and
accepted within boardrooms and especially by chief information officers (CIOs).
2. Determine what level of IT governance expertise exists and which frameworks are known and are (or will
be) adopted.
3. Measure the extent to which ITGIs own solution, Control Objectives for Information and related
Technology (COBIT), is selected and how it is perceived.

2005 Survey Sample

The survey group consisted of two subgroups of CIOs and CEOs: those selected from a random database and
those from ITGIs contact database. The total number of interviews conducted was 695, of which 623 were
from the random sample of organisations and 72 were from ITGIs database of registered COBIT users. In
general, this report includes the responses of:
Both groups combined (i.e., the full sample) for all questions not related to COBIT or to the selection
of frameworks
The random sample only for those questions that were related to the acceptance and use of frameworks
The ITGI COBIT user sample and the COBIT users amongst the random sample for those questions that were
specifically COBIT-related

Global Reach
The interviews were conducted worldwide (in 22 countries) and in the language of the interviewee. All
continents/regions were represented.

How to Read the Report

The report contains five chapters:
Chapter 1 explains the methodology used to conduct the survey.
Chapter 2 contains the detailed survey results.
Chapter 3 focuses on the results from the COBIT community.
Chapter 4 contains the results of the funnel analysis.
The appendix contains further information on the compound problem index and the findings from the largest
geographic areas.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

Key Findings of the Survey

1. IT is more critical to business than ever.
For 87 percent of the participants, IT is quite to very important to the delivery of the corporate
strategy and vision. For 63 percent of the respondents, IT is regularly or always on the boards agenda.
2. General managers feel more positive toward IT than IT managers do.
Compared to IT managers, general managers attach even more criticality and importance to IT. In
addition, they are generally more satisfied with IT and with its strategic alignment with the business.
3. Significant differences amongst industry sectors exist.
IT/telecom and financial services appear to be better performers when it comes to IT governance,
while the retail and manufacturing industries are lesser performers. These outcomes are in line with
the degree of strategic importance of IT in these industry sectors.
4. IT staffing is the most important IT-related problem.
When taking into account all aspects of a problem, such as frequency of occurrence, severity of the
problem and future evolution, IT staffing appears to be the most important problem in IT.
5. IT security is not the most important IT-related problem.
When taking all dimensions of the problem into account, security (and compliance) is ranked last of
eight IT problem categories.
6. IT outsourcing is out.
IT outsourcing is no longer seen as the most effective measure to resolve IT problems. As business
and IT have become increasingly aware of the fact that IT problems cannot be outsourced, they have
tended to bring control of problematic systems back in-house.
7. Awareness of ISACA and ITGI has increased.
Awareness amongst the general IT population of the ISACA and ITGI brands has almost tripled
compared to the 2003 survey.
8. Awareness of COBIT has increased.
Awareness in the general population of the existence of COBIT has increased by 50 percent since
2003, from 18 percent to 27 percent. In addition, one out of six respondents who know COBIT claims
to know the contents to a great extent.
9. Sarbanes-Oxley has not created the anticipated effect.
The US Sarbanes-Oxley Act extends management responsibilities, requiring that managers proactively
ensure that financial statements and other public reports are accurate and complete. This means that
proper IT controls should be in place.
However, a lower than expected numberonly 38 percentof the COBIT users indicated that
Sarbanes-Oxley legislation or other new accounting-related legislation or regulation was the reason to
introduce COBIT in their organisation. (The survey did not distinguish between old and new COBIT
users, which could explain the result.)
10. IT governance (and COBIT) is not as easily implemented as originally estimated.
A number of results lead to the conclusion that implementing IT governance is not as straightforward
as perhaps once thought. The same conclusion can be made regarding COBIT implementation. Putting
things in perspective, however, these results confirm that:
Good IT governance practices are not built overnight; they require time and continued commitment.
Implementing COBIT is not a matter of taking it out of the box and implementing it as written.
Instead, it is a process of selecting the most appropriate elements, tailoring them as needed and
applying them to the specific needs of the organisation.
11. COBIT is being used by about 10 percent of the IT population.
The current acceptance rate of COBITi.e., the percentage of the general IT population using one or
more parts of COBITis now 10 percent (at least). Given the relatively large number of respondents
indicating that they use an internally developed IT governance solution, it is probable that there are a
number of hidden COBIT users who have implemented portions of it in their own enterprise-specific
solution.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

1. Survey Approach and Methodology

1.1

Survey Approach

The PricewaterhouseCoopers International Survey Unit conducted 695 interviews with CIO- and CEO-level
individuals throughout the world. The interviews were conducted by telephone or mail, depending on the
participants location, and in the interviewees native language.
Each interview took, on average, between 15 and 20 minutes, a duration that was selected to balance
comprehensiveness and feasibility. The interviews were carried out under the Market Research Society and
Marketing Research Association codes of conduct, guaranteeing complete anonymity of the participants. None
of the information obtained in the interviews has been attributed to any individual and all comments have been
treated in strictest confidence.

1.2

Funnel Analysis

The final result of the survey is a funnel analysis (see chapter 4). Starting from the overall IT community,
composed of the decision makers over IT (CIO, CEO), the funnel analysis establishes:
Which part of the IT community experiences problems with IT
Which part of this group recognises the concept of IT governance as a potential solution to this problem
Which part of this group is aware of the practical solutions to this problem and of the fact that the adoption
of COBIT may offer a solution to the IT governance problem
Which part of this group actually adopts and implements COBIT

1.3

The Sample

The size of the sample was increased from 276 respondents in the 2003 survey to 695 respondents in the 2005
version (figure 1).

Figure 1Size and Geographic Distribution of the Sample

Asia-Pacific

Europe

Latin America

North America
2005
191

2003
104

96
67
36

265

69

143

A more detailed analysis of the respondents IT profile is provided in section 2.6 of this report.
Thanks to the increase in the sample population (n= 695), the error margin decreased from 6 percent (in 2003)
to 4 percent. With a confidence level of 95 percent, the error margin is defined as follows [worst case of 50/50
(p and q)]:
ConfidenceLevel95 percent= 2*= 4 percent because

pq

50 * 50
2
695

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

The results are therefore reliable (at a 95 percent confidence level) with an error margin of plus or minus
4 percent, i.e., results must be a minimum of 4 percent different before any meaningful conclusion can be
drawn.
1.3.1
Geographic Reach
Figure 1 shows the increase in number of interviews and the geographic reach of the project. It is
noteworthy that the share of Asia-Pacific participants has grown from 24 percent in 2003 to 38 percent in
2005. The reason for this increase in Asia-Pacific participants is two-fold:
By design, more Asia-Pacific participants were targeted in this study; a new Asia-Pacific country, India,
was added to the random sample.
The response rate in the Asia-Pacific area was much higher than average.
The following countries were included in the survey:
North America (21 percent of the respondents)Canada, Mexico and US
Europe (27 percent)Belgium, France, Germany, Italy, Spain, Sweden, The Netherlands and UK
Latin America (14 percent)Argentina, Brazil, Chile, Colombia and Peru
Asia-Pacific (38 percent)Australia, Hong Kong, India, Indonesia, Japan and Singapore

Figure 2Participation by Industry Sector

120

IT/telecoms

172

Financial services
Manufacturing

51

Retail
Public sector

69
167
1.3.2
Industry Participation
Figure 2 shows the participation by industry sector.

1.3.3
Size of the Respondents Organisation
The survey results have been differentiated by large (>500 employees) and small (<500 employees)
organisations. As shown in figure 3 the sample contained 43 percent small organisations and 57 percent
large organisations. The number of small companies has increased from 38 percent in 2003.

Figure 3Organisation Size

2

300
393

Small
Large
Cannot decide/refused

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

1.3.4
Respondents Job Functions
As shown in figure 4, 19 percent of the participants can be classified as general management, while 68
percent are IT management and 4 percent are responsible for audit-related functions.

Figure 4Job Function

68
27

129
General management
(CEO, CFO, COO)
IT management
(CIO, head of IT)
Audit
Cannot decide/refused

471

In the 2003 survey, a marked hesitance to discuss IT governance was noted on the part of CEOs and general
management. There was no significant change in that behaviour in the 2005 survey.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

10

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

2. Survey Results
2.1

Introduction

This chapter of the report contains the detailed answers to a selection of the most important questions of the
survey. For each question, the following information is included:
The overall results, i.e., results of the whole sample without any geographical, industry or any other
breakdown
Comment on the results, if applicable or relevant
A breakdown of the results by region, industry type, organisation size or respondent profile, if significant.
This information is included only if there are meaningful differences amongst different categories and/or if the
sample size is still representative.
Many of the questions were posed in both the 2003 and the 2005 surveys. In most of those cases, the results
from both years surveys are presented, for comparison purposes. If only one set of responses is presented,
either the question was used in 2005 only or the comparison with 2003 did not offer any particularly
meaningful additional information; in either case, the results shown are 2005 results.

2.2

Importance and Benefits of IT

2.2.1

Thinking about your overall corporate strategy or vision, how important do you consider IT
to be to the delivery of this strategy or vision?

Figure 5Importance of IT for Overall Strategy

2003

2005
52%

57%

39%
30%

1%

0%

Not important
at all

1%

3%

Not very
important

7% 10%
Not sure

Quite
important

Very
important

(Based on 695 respondents of the overall sample)

Observation: The overall importance of IT to the delivery of the corporate strategy or vision has not evolved
in a spectacular way. IT remains quite to very important to the corporate strategy for the large majority of the
respondents, with a slight increase in the top category of importance.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

11

Figures 6 and 7 show the further breakdown of these results by industry and job function.

Figure 6Importance of IT for Overall Strategy, by Industry Sector

Not important
at all

Not very
important

Not sure

Quite
important

Very
important

100%
80%

45%
60%

71%

37%
23%

49%

25%

34%

78%

40%
20%

59%

16%

0%
IT/telecom

Financial
services

Manufacturing

Retail

Public sector

Observation: ITs perceived importance is higher in the IT/telecom and financial services sectors,
while it is seen as less important in manufacturing, retail and the public sector.

Figure 7Importance of IT for Overall Strategy, by Job Function

General management

IT management
67%
54%
31%
22%

0% 0%
Not important
at all

4% 3%
Not very
important

6%

11%

Not sure

Quite
important

Very
important

Observation: General management perceives IT as more important to the delivery of the corporate
strategy than IT management does.

12

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

2.2.2

How frequently is IT included on your organisations board agenda?

Figure 8Frequency of IT on Board Agenda

2003

2005

37%

36%

33%

38%

22%

5%

25%

3%

Never

Sometimes

Regularly

Always

(Based on 695 respondents of the overall sample)

Observation: Compared to 2003, IT is now included slightly more often on organisations board agenda on a
regular basis (+5 percent).

Figure 9 shows the further breakdown of these results along industry lines.

Figure 9Frequency of IT on Board Agenda, by Industry Sector

Never

Sometimes

100%

25%
80%

Regularly

14%

Always

22%

33%
60%
40%

33%

43%

52%
46%

20%
0%

16%

42%

21%

16%

IT/telecom

Financial
services

29%
Manufacturing

Retail

44%

36%
Public sector

Observation: IT is included on the board agenda most often in IT/telecom and financial services, and least
often in manufacturing. This result is in line with the result of the previous question, which indicated that IT
is more important to delivering on the organisations strategy in the IT/telecom and financial services sectors
than in the other sectors.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

13

2.2.3
IT investments have helped to:
This is a general question designed to measure the overall success or value IT has brought to the
organisation.

Figure 10IT Investments Outcome

Achieve strategic goals

4,18
4,21

Produce relevant and pertinent information for the business

4,24
4,18

Ensure that business-critical information is available when needed

4,06
4,17

Ensure that business-critical information is reliable

3,95
4,16

Ensure that business-critical information is accurate and complete

3,93
4,03

Ensure that business-critical information is

compliant with applicable regulations

3,82
4,00

Ensure important efficiency gains

Ensure that business-critical information is and remains confidential

2003
2005

4,12
3,91
3,8
3,81

(Based on 695 respondents of the overall sample)

The response scale was from 1, do not agree, to 5, fully agree.

Observation: In general, IT investments have helped to achieve all the important information criteria.
Compared with 2003, most of them have slightly increased. The largest increase relates to reliability of
business-critical information and the biggest decrease is in important efficiency gains. This connotes a
shift from efficiency toward more strategic benefits (effectiveness).
Use of IT investments to achieve strategic goals has switched places with produce relevant and pertinent
information for the business as the top choice. It is also noteworthy that, as in 2003, confidentiality
scores the lowest.

14

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

2.2.4

How regularly does your IT department inform the business about potential business
opportunities enabled by new technologies?

Figure 11Communication From IT to the Business

38%

41%

14%
7%

Never

Sometimes

Regularly

Always

(Based on 695 respondents of the overall sample)

Observation: A small majority (55 percent) of IT departments always or regularly inform the business about
potential business opportunities.

2.2.5

To what extent does your IT department understand, investigate and support the business
user needs?

Figure 12IT Departments Understanding of Business User Needs

56%

36%

2%
Not at all

6%
Not really

To some extent

To a large extent

(Based on 695 respondents of the overall sample)

Observation: The IT department of more than half of the respondents (56 percent) understands and supports
the business users needs to a large extent. However, this also means that in 44 percent of the cases, there is
room for significant improvement.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

15

Figure 13 shows these responses by job function.

Figure 13IT Departments Understanding of Business User Needs, by Job Function

General management

IT management
64%
55%

37%
27%
5%

4%

2%

6%

Not really

Not at all

To some
extent

To a large
extent

Observation: Nearly two-thirds (64 percent) of general management indicates that the IT department
understands, investigates and supports business users needs to a large extent. Only 55 percent of IT
management agrees with this statement. This result, when combined with previous results, can be seen as
confirmation that the IT manager has to move toward a business manager role, communicating more like
a business manager with the other business managers.
2.2.6

How would you describe the fit between your IT plan and your organisations overall
business strategy?

Figure 14Fit Between IT Plan and Business Strategy, by Job Function

General management

IT management

40% 41%
30%

28%
23%
19%

10%
4%

2%

Very poor

2%
Poor

Average

Good

Very good

(Based on 695 respondents of the overall sample)

Observation: General managers note a slightly better strategic fit between business and IT than do IT
managers.

16

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

The respondents claiming to have a good or very good strategic fit between business and IT compose only
60 percent of the entire sample. This result demonstrates that there is still room for improvement in the
strategic fit between business and IT.
Note: European Survey on ICT Value Management, published by PricewaterhouseCoopers in the first quarter
of 2005, showed that only 10 percent of European companies have their ICT investments very well aligned
with their business objectives, confirming the above observation.

2.3

IT Problems and Potential Solutions

This section addresses IT problems encountered by the respondents. It investigates the frequency of occurrence
of the problems, their perceived severity, their historic evolution and their expected evolution in the next 12
months. Then potential solutions, expressed as high-level practices, are evaluated for their estimated
effectiveness.
2.3.1
Compound Problem Index
The survey asked several questions about the IT-related problems experienced by the respondents, such as:
Frequency of occurrence of IT-related problems
Severity
Evolution over the past 12 months (improvement or deterioration)
Priority for resolution in the 12 coming months
From this information, a compound problem index (CPI) was defined, which is the result of multiplying the
outcomes listed above. As such, it is an indicator for the relative priorities the respondents gave to different
IT-related problems.

Figure 15IT-related Problems in Last 12 Months (CPI)

IT staffing problems

117

High cost/low ROI

88

Operational IT incidents

85

No view on IT performance

81

Outsourcing problems

74

Disconnect between business/IT strategies

72

Security/privacy incidents

60

IT not meeting compliance requirements

44
0

50

100

150

(Based on 695 respondents of the overall sample)

Observation: When taking all aspects of the problems into account, IT staffing problems are the key issue on
the agenda of the survey participants, followed by ROI issues and operational incidents.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

17

Compliance and security/privacy, on the other hand, are at the bottom of the list. Whereas this may seem a
bit surprising, this ranking may reflect the results of the recent significant efforts put into information
security projects and compliance programmes (e.g., Sarbanes-Oxley in the US).
The following questions and responses provide the detail that fed into the calculation of the CPI.
2.3.2

Which of the following problems have you experienced with IT in the last 12 months?

Figure 16IT-related Problems in Last 12 Months

2003

7%

None

2005

21%

No view on IT performance

15%

IT not meeting compliance requirements

15%

41%

38%

IT staffing problems

35%

Outsourcing problems

23%

Disconnect between business/IT strategies

24%

Security/privacy incidents

28%

21%

Operational IT incidents

40%

27%
35%

High cost/low ROI

30%

0%

10%

20%

30%

40%

50%

(Based on 688 respondents of the overall sample)

Note: The same question was asked in 2003 but with a few different answering possibilities. This
difference in answering options may explain some of the differences shown in the graph.
Observation: The number of companies that indicated that they have no IT problems increased from 7
percent in 2003 to 21 percent in 2005. In line with this finding, the percentages for all problems have
decreased, with the largest decrease accruing to no view on IT performance.
A possible explanation for this outcome might be the fact that many users experience IT through their
desktop, where Windows has become quite stable and has not undergone any major upgrades over the last
two years. ERP systems have also become more mature. In addition, the absence of any major technology
push in the last few years has resulted in less disruption. And, of course, efforts to improve IT and bring it
better under control may also have caused the tangible benefits reflected in these responses.
An analysis of the results by industry sector fails to identify any significant differences in absolute
number of reported problems or in the distribution amongst different problem types.

18

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

Figures 17-19 depict the severity of the problems, their evolution over the last year and the priority they
constitute for the coming year.

Figure 17Problem Severity

No view on IT performance

1,84

IT not meeting compliance requirements

1,88

IT staffing problems

1,97

Outsourcing problems

1,93
1,83

Disconnect between business/IT strategies

1,95

Security/privacy incidents

2,1

Operational IT incidents
1,86

High cost/low ROI

1.0

1.5

2.0

2.5

3.0

These results are based on a scale from 1, not at all serious, to 3, very serious.
Observation: The three most serious problems are:
1. Operational IT incidents
2. IT staffing
3. Security/privacy incidents

Figure 18Evolution of the Problems

No view on IT performance

0,45

IT not meeting compliance requirements

0,42

IT staffing problems

0,32

Outsourcing problems

0,39

Disconnect between business/IT strategies

0,48

Security/privacy incidents

0,74

Operational IT incidents

0,72

High cost/low ROI

-1.00

0,46
-0.50

0.00

0.50

1.00

These results are based on a scale from -1, the situation has deteriorated, to +1, the situation has improved.
Observation: The situation has improved for every problem during the last 12 months, with the most progress
occurring in security/privacy incidents and operational IT incidents. IT staffing problems show the lowest rate
of progress. This corresponds to the result shown in figure 16: that IT staffing problems have decreased less
than the other problems over the past year.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

19

Figure 19Importance of Addressing the Problems

No view on IT performance

3,75
3,69

IT not meeting compliance requirements

IT staffing problems

3,98

Outsourcing problems

3,93

Disconnect between business/IT strategies

3,98
4,09

Security/privacy incidents
Operational IT incidents

3,99

High cost/low ROI

3,88
1

These results are based on a scale from 1, not at all important, to 5, very important.
Observation: The most important problems to address in the next 12 months are security/privacy
incidents and operational IT incidents.
2.3.3

How effective could the following high-level measures be for resolving your IT-related
problems?

Figure 20Effectiveness of High-level Measures

Better alignment of IT with strategy

3,93

Better management of IT resources

3,90

Better delivery of business value through IT

3,90
3,87

Better management of IT process

Better measurement of IT performance

3,87

Better management of risk

3,67

Outsourcing IT

3,15
1

(Based on 623 respondents of the overall sample)

These results are based on a scale from 1, not at all effective, to 5, very effective.
Observation: Outsourcing of IT is seen as the least effective measure to resolve IT-related problems. This
observation is a confirmation of the trend that outsourcing is no longer the permanent cure for expensive
IT or business process problems.
20

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

Figure 21 examines the responses on effectiveness of IT outsourcing, by job function.

Figure 21Effectiveness of IT Outsourcing, by Job Function

General management (CEO, CFO, COO)

IT management (CIO, head of IT)

31%
27%

26%
20%
15%
11%

Not at all
effective

19%
15%

13%

11%

Not very
effective

Not sure

Quite
effective

Very
effective

Observation: IT management may have been reluctant to describe IT outsourcing as a very effective solution
for IT problems because IT managements position could be harmed by extensive outsourcing. Ultimately, the
difference between the two groups is minimal.
2.3.4

Which of the following statements do you believe to be good IT governance practices?

Figure 22IT Governance Practices

Adequate business continuity and security measures taken

90%
85%

Setting up right organisational structures

81%

IT resources requirements based on business priorities

IT processes regularly audited for effectiveness and efficiency

80%
71%

Board review of IT budgets and plans

66%

IT management of IT projects, portfolio

64%

CEO informed on IT risks

IT scorecard for value creation

57%
49%

IT project portfolio managed by business department

0%

25%

50%

75%

100%

(Based on 613 respondents of the overall sample)

Observation: Letting the business manage the IT project portfolio is not often seen as a good IT governance
practice. Based on ITGIs definition of IT governance, it would have been expected that this practice would
rank much higher in the list of good IT governance practices, possibly even before board review of IT budgets
and plans. This illustrates two possible interpretations:
There is confusion on what exactly IT governance is. This problem is best to be addressed before elaborating
on the different solutions for IT governance.
When thinking about IT, management is still more in a hands-on and control mode than a governance mode.
I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

21

2.4

Awareness and Use of IT Governance Frameworks

2.4.1

What organisations are you aware of that provide or implement solutions to IT

governance problems?

Figure 23Recognised IT Governance Providers

2003
25%

Not aware of any

35%

ISACA

8%

ITGI

8%

23%

Local (national) professional or governmental organisations

Universities
Strategic consultants (McKinsey, etc.)
Smaller/niche consultants

2005

23%
19%

10%
3%
8%
10%
10%
9%
17%
40%
42%

Large consultants/IT
26%
28%

Big 4
16%
8%

Gartner, IDC, etc.

0%

10%

20%

30%

40%

50%

(Based on 507 respondents of the random sample)

Observation: The top three IT governance service providers of which respondents are aware are:
1. Big 4
2. Large IT consultancies
3. ISACA/ITGI
The survey participants awareness of ISACA and ITGI as IT governance solution providers has increased
by almost 200 percent (from 8 percent in 2003 to 23 percent in 2005). Further analysis shows that most
people who know ISACA also know ITGI and vice versa.
This item was posed as an open question. Those respondents who did not mention ITGI/ISACA
spontaneously were queried as to their recognition of the organisations: 16 percent were aware of the
brands or organisations.
Although companies in Latin America are generally aware of some provider, their awareness is primarily
limited to large or small IT consultancies and the Big 4.

22

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

2.4.2

How would you rate them with regard to their expertise in IT governance solutions or
frameworks?

Figure 24Expertise of IT Governance Providers

2003

2005
3, 8
3, 7

ISACA
3, 5

ITGI

3, 9
3, 6
3, 5

Local (national) professional or governmental organisations

0

Universities

3, 3
3

Strategic consultants (McKinsey, etc.)

3, 9
0

Smaller/niche consultants

3, 8
3, 8
4, 0

Large consultants/IT
Big 4

3, 6

Gartner, IDC, etc.

3, 6
3, 6
0

(Based on 507 respondents of the random sample)

These results are based on a scale from 1, low level of expertise, to 5, high level of expertise.
Observation: The general perception of the level of expertise of IT governance providers has increased since
2003. The largest increase was for the strategic consultants. Only two of the named providers decreasedand
only very slightlyin perceived expertise concerning IT governance solutions and frameworks.

2.4.3

How would you rate them with regard to their ability to implement IT governance solutions
or frameworks?

Figure 25Implementation Ability of IT Governance Providers

2003

2005
3, 5
3, 6

ISACA
3, 2

ITGI

3, 6

Local (national) professional or governmental organisations

3, 5
3, 4

Universities

3, 4

Strategic consultants (McKinsey, etc.)

3, 2
4, 0

Smaller/niche consultants

3, 8
3, 7
4, 0

Large consultants/IT

3, 5

Big 4

4, 0

Gartner, IDC, etc.

3, 3
3, 7
0

(Based on 507 respondents of the random sample)

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

23

These results are based on a scale from 1, low level of ability, to 5, high level of ability.
Observation: The perception of implementation ability of IT governance providers is greatest for the
Big 4 and large IT consultancies. This perception has increased for almost all of the providers, except for
the local organisations. ISACA and ITGI both show an increased level of perceived ability over 2003.
Overall, combining the results of the previous two questions (on expertise and implementation ability), the
Big 4 are seen as the most capable IT governance providers, followed by large IT consultancies and
strategic consultants (figure 26).

Figure 26Overall Capability of IT Governance Providers

4, 2
Big 4

4, 1

Large IT
Consultants

4, 0
ITGI

Expertise

3, 9

Strategic
Consultants

Analysts
Niche
Consultants

3, 8
ISACA
3, 7
3, 6
Local
Organisaions

3, 5
3, 4
Universities
3, 3
3, 3

3, 4

3, 5

3, 6

3, 7

3, 8

3, 9

4, 0

Implementation Capability

24

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

4, 1

4, 2

2.4.4

Have you implemented, are you in the process of implementing or are you considering
implementing an IT governance solution/framework?

Figure 27IT Governance Implementation Status

2003

2005
25%

Have already implemented

17%

15%

In the process of implementing

19%

18%

Considering implementing

22%

42%

Not considering implementing

36%

0%

10%

20%

30%

40%

50%

(Based on 623 respondents of the overall sample)

This is one of the major questions of the survey, actually probing the real status of IT governance adoption and
implementation.
Note: In 2005, the survey offered a do not know/refused response option, which was not offered in 2003.
Approximately 5 percent of the respondents selected that option, a portion of the 2005 responding population
not reflected in figure 27.
Observation: The share of companies that have implemented IT governance solutions/frameworks in 2005 is
lower than in 2003. On the other hand, the share of companies that are not considering implementing is also
lower.
This finding might be explained by the fact that implementing IT governance is not as easy as organisations
originally might have thought. See also item 3.2.3, which reflects a similar result from the COBIT community.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

25

Figure 28 shows the further breakdown of these results, according to industry sector.

Figure 28IT Governance Implementation Status, by Industry Sector

IT/telecoms

Financial services

Manufacturing

Retail

Public sector

46%
38% 36%

33%

36%
31%
24% 23%

23%

21%

20%

20% 21%

20%

18%

17%

10%

Not considering
implementing

Considering
implementing

In the process of
implementing

16%
10%

12%

Have already
implemented

2.4.5
Have you implemented measures in order to improve:
The purpose of this question was to determine if there were any hidden IT governance implementations,
i.e., measures that could be classified as IT governance solutions, but which are not labelled as such
within the organisations that implement them.

Figure 29Implementation Status of Partial IT Governance Measures

Not considering implementing

Considering implementing

In the process of implementing

Have already implemented

Alignment between IT strategy and overall strategy

IT resource management, e.g., people, systems or financials
IT value delivery aiming at better customer relationships
Costs
IT value delivery aiming at a higher product or service leadership or innovation
IT risk management
Actual performance measurement of IT
Active management of ROI of IT
0% 10% 20% 30% 40% 50%

60% 70% 80% 90% 100%

(Based on 623 respondents of the overall sample)

26

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

Observation: The primary partial IT governance solutions considered are :

Better cost management (not included in the 2003 survey)
Better IT resource management: people, systems or financials (top-ranked in 2003)
IT risk management
Additional research shows that only 9 percent of the responding organisations are not considering
implementing any partial IT governance solutionsa significant improvement over the 2003 survey
(17 percent).
2.4.6

What solutions/frameworks do you use or are you considering using?

Figure 30Selected IT Governance Frameworks

2003

2005
6%

BS 7799/ISO 17799/ISO TR13335/ISF

9%
11%

ISO 9000

21%
6%

ITIL

13%
11%

COBIT/COBIT Quickstart

9%

ISO 15000

5%
2%
1%

SysTrust
IT balanced scorecards (BSC)

7%
6%
4%

Software Engineering Institute Maturity Model (CMM and CMMi)

1%

COSO/ERM

4%

PMI, PMBOK, PRINCE2

3%

Six Sigma

5%
16%

Local (national) professional organisations solutions

8%
15%

International professional organisations solutions

7%
16%

Internally developed framework

33%

Not yet decided which one

22%

0%

10%

20%

30%

40%

(Based on 440 respondents of the overall sample)

Observation: One-third of the participants use or are considering using an internally developed framework.
Compared with 2003, the use of COBIT has decreased slightly. A possible explanation for this evolution could
be that COBIT often acts as a baseline, in partial or complete form, to further elaborate an internally developed
framework. Therefore, COBIT may be an integral (but not publicly acknowledged) part of the internally
developed frameworks reflected in these responses.
ISO 9000 has increased significantly since 2003, probably explained by the fact that India has now been
included in the survey sample.
Nearly one-quarter of the participants have not yet decided which framework to use.
I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

27

2.5

Awareness, Use and Perceptions of COBIT

2.5.1

Are you personally aware of the existence of COBIT?

Figure 31Personal Awareness of Existence of COBIT

2003

2005
82%
72%

27%
18%

Yes

No
(Based on 623 respondents of the random sample)

Observation: Personal awareness of COBIT is 50 percent higher in the 2005 survey.

Figures 32 and 33 show further breakdown of these results.

Figure 32Personal Awareness of Existence of COBIT, by Geographic Area

Asia-Pacific

Europe

Latin America

69%

28%

76%

North America

78%
68%

32%
22%

23%

Yes

No

Observation: Personal awareness is higher in North America (a significant increase from the 12 percent
awareness level in 2003) and Asia-Pacific (up from 16 percent in 2003). Although personal awareness is
lower in Latin America and Europe than in North America and Asia-Pacific, in reality there was no
change in their percentages from 2003.

28

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

Figure 33Personal Awareness of Existence of COBIT, by Organisation Size

Small

Large
78%
67%

33%
19%

Yes

No

(Based on 623 respondents of the random sample)

Observation: Personal awareness of the existence of COBIT is significantly higher in large organisations than
in small organisations. This may be because the complexity generally inherent in larger organisations tends to
call for a structured framework.
2.5.2

If you are personally aware of the existence of COBIT, are you personally aware of the
contents of COBIT?

Figure 34Personal Awareness of Contents of COBIT

55%
42%

Yes

No

(Based on 166 respondents of the random sample who are personally aware of existence of COBIT)

Observation: Of the 27 percent who are personally aware of the existence of COBIT, a small majority
(55 percent) are aware of its contents.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

29

2.5.3

If you are personally aware of the existence and the contents of COBIT, to what extent
are you aware of its contents?

Figure 35Extent of Personal Awareness of Contents of COBIT

66%

34%

To a large extent

To some extent

(Based on 91 respondents of the random sample who are aware of the contents of COBIT)

Observation: Amongst those who are aware of the contents of COBIT, 34 percent indicate they are aware
of those contents to a large extent.
Combining the three questions above, it is possible to conclude that approximately one out of six
(55 percent of 34 percent) who are aware of the existence of COBIT know the contents of COBIT to
a large extent.
2.5.4

Does (any area of) your organisation currently use COBIT?

Figure 36Use of COBIT Within Organisations Aware of COBIT

2003

2005

100%
71%

65%

75%
50%
30%

29%
25%
0%
Yes

No

(Based on 166 respondents of the random sample who are aware of the existence of COBIT)

Observation: In 2005, 30 percentroughly the same as in 2003of the participants who are personally
aware of the existence of COBIT use it in their organisation.

30

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

The conclusion that can be drawn from the previous three questions is that COBITs brand recognition has
increased since 2003, and brand acceptance has remained equal.
2.5.5

Which parts of COBIT does your organisation use?

Figure 37Use of Portions of COBIT

2003
Security Baseline/Information Security Governance
COBIT Quickstart
IT Governance Implementation Guide

2005

0%
44%
0%
28%
0%
55%
0%

COBIT Online

35%
57%

Management Guidelines

64%
73%

Audit Guidelines

81%
59%

Board Briefing

74%
73%

Control Objectives

89%
63%

Executive Overview and Framework

74%
0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

(Based on 89 respondents of the COBIT sample and the COBIT users in the random sample)

Note: COBIT Security Baseline/Information Security Governance, COBIT Quickstart, IT Governance

Implementation Guide and COBIT Online were not included in the 2003 survey.
Observation: The control objectives and the audit guidelines are the most widely used portions of COBIT.
This is in line with the fact that COBIT is most often used as an IT controls and audit framework, and also that
these are two of the oldest and best established parts of COBIT.
COBIT Quickstart is used less widely, which is consistent with the fact that it is designed for smaller
companies. Awareness of COBIT is lower in small companies than in larger companies.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

31

2.5.6

How easy or difficult has it been for you to implement the COBIT framework or part of
the COBIT framework?

Figure 38Difficulty in Implementing COBIT

2003
31%

2005
34%

32% 32%

18%
14%

12%

9%

7%

Very difficult

Somewhat
difficult

Neither difficult
nor easy

Somewhat
easy

7%

7%

Very easy

4%

Do not know

(Based on 98 respondents of the COBIT user sample)

Observation: In the 2005 results, 43 percent of the COBIT users find it difficult to implement COBIT and
only 21 percent find it easy. This is an almost exact reversal of the 2003 results, in which 43 percent
considered it easy to implement and 25 percent considered it difficult. This is most likely because there
are now a lot of relatively inexperienced new COBIT users who are still in the midst of the learning curve
for COBIT. As they become more familiar with COBIT, they will recognise that IT is not a ready-made,
off-the-shelf standard, but a collection of good practices that call for customisation and effort to adapt to
the target organisation.
2.5.7

How valuable do you think COBIT is in your IT governance efforts or initiatives?

Figure 39Value of COBIT for IT Governance Efforts

2003

2005
52%
41%
36%
27%

16%
2%

4%

2%

Not valuable at all

13%

6%

Not very
valuable

Not sure

Somewhat
valuable

Very valuable

(Based on 98 respondents of the COBIT user sample who responded affirmatively to item 2.5.4)

Observation: Fifty percent more COBIT users find COBIT to be very valuable in their IT governance
efforts, as compared to 2003.
32

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

2.5.8

Was the Sarbanes-Oxley legislation, or any other new accounting-related legislation or

regulation, a reason to introduce COBIT in your organisation?

Figure 40Regulation and COBIT Use

57%

38%

5%

Yes

No

Do not know

(Based on 98 respondents of the random sample)

Observation: More than one-third of the COBIT users indicate that the Sarbanes-Oxley legislation or other
new accounting-related legislation or regulation was a reason to introduce COBIT in their organisation.
Figure 41 examines this finding by geographic area.

Figure 41Regulation and COBIT Use, by Geographic Area

Asia-Pacific

Europe

Latin America

North America

76%
55%

62%

62%

38%

34%

35%

20%

Yes

No

Observation: As might be expected, in North America, home of the Sarbanes-Oxley Act, a majority of the
respondents indicate that the Sarbanes-Oxley legislation (or other new accounting-related legislation or
regulation) was a reason to introduce COBIT in their organisation.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

33

2.6

General IT Profile

This section contains more background information on the respondents, how they deal with IT and the
implementation of IT governance.
2.6.1

Have you implemented, are you in the process of implementing or are you considering
implementing business measurement projects such as balanced scorecards or
dashboards as part of your management reporting practices?

Figure 42Implementation of Business Measurement Projects

47%

20%
15%

12%

Not considering
implementing

Considering
implementing

In the process of
implementing

Have implemented

(Based on 623 respondents of the random sample)

Observation: Just slightly more than one-quarter of the respondents indicate that they are in the process
of implementing or have implemented business measurement projects. This is a lower percentage than the
figure reported in question 2.4.4 (IT governance implementation status), despite the fact that
implementing measurements/monitoring is an essential part of IT governance.
Figure 43 examines this result by industry sector.

Figure 43Implementation of Business Measurement Projects, by Industry Sector

IT/telecoms

51%

Financial services

Manufacturing

Retail

Public sector

48% 52% 49%

29%

24%

31%
19% 21% 20%

15%
6%

Not considering
implementing

Considering
implementing

14% 11%

22% 18%

In the process of
implementing

14%

15%

15%
4%

Have implemented

Observation: As noted in other questions, differences amongst industries can be observed, highlighting
the importance of IT for the financial sector.
34

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

2.6.2

How much value do you think your organisation is getting out of IT, perhaps in terms of
better customer relations, better risk management, lower cost or a higher product
leadership?

Figure 44Value of IT
47%

27%
17%

6%

3%

Not at all

Not very much

Not sure

Quite a lot

A lot

(Based on 695 respondents of the random sample)

Observation: A large majority74 percent of the participating organisationsthink their organisation gets
quite a lot or a lot of value from IT. Although this is an encouraging finding, 26 percent of respondents
remain unconvinced. In addition, when comparing to question 2.2.5 (ITs support of business needs), it can be
noted that although 92 percent believe IT is supporting the business to some extent, only 74 percent believe
IT brings real value. Clearly, attention to IT value management is required.
2.6.3

How would you rate your organisations maturity level on IT governance?

Figure 45Maturity Level of IT Governance

26%
21%

20%

14%
11%

4%

Non-existent

Inital/ad hoc

Initutive/
repeatable

Defined process

Managed and
measurable

Optimised

(Based on 695 respondents of the random sample)

Observation: Eighteen percent of the participants rate their organisations maturity level relative to IT
governance in the two most mature categories: managed or optimised. This may be an overestimation,
especially when one looks at other reference databases such as the benchmarking contained in COBIT Online,
which reflects fewer high estimates.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

35

2.6.4

Who has overall responsibility in your organisation for IT governance?

Figure 46Responsibility for IT Governance

33%

24%

24%

10%
6%
2%

CEO

CIO

CFO

Compliance/audit

Nobody

Other

(Based on 695 respondents of the random sample)

Observation: At one-third of the participating organisations, the CIO has overall responsibility for IT
governance. At 6 percent of the participating organisations, nobody has the responsibility for it. Overall,
this result is slightly troublesome since CEOswho should take responsibilitydo not do so to the
expected degree, while a significant number of CIOs (33 percent)who should not assume
responsibilitydo take it on.

36

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

2.7

Cross-references

This section contains cross-references, in which selected questions are combined to check for major trends or
to confirm intuitive opinions on relationships that should exist.
2.7.1

Have you implemented, are you in the process of implementing or are you considering
implementing business measurement projects such as balanced scorecards or dashboards
as part of your management reporting practices (2.6.1)?
AND
Thinking about your overall corporate strategy or vision, how important do you consider IT
to be to delivery of this strategy or vision (2.2.1)?

Figure 47Cross-reference of Measurement and Importance

Yes

No

65%

48%

35%
24%
13%
7%
1%

Not important
at all

3%

4%

Not very
important

Not sure

Quite
important

Very important

Observation: Those who consider IT important measure their progress toward or performance of IT
governance more than do those who do not consider IT so important. The acknowledgement of the IT
contribution leads to a higher perceived importance of IT on the business level.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

37

2.7.2

How would you rate your organisation's maturity level on IT governance (2.6.3)?
AND
Use of IT investments (2.2.3):

Figure 48Cross-reference of IT Governance Maturity Level and IT Investments

Agree strongly
89%
81%

81%
68%

Initial/

Repeatable/
intuitive

Defined
process

Managed and
measurable

Observation: IT investments have helped companies who rank themselves higher in their IT governance
maturity level to a greater degree than the investments have helped less mature companies. The return on
IT investment is much higher at organisations with a mature IT governance environment.
.
2.7.3

Thinking about your overall corporate strategy or vision, how important do you
consider IT to be to the delivery of this strategy or vision (2.2.1)?
AND
How would you describe the fit between your IT plan and your organisations overall
business strategy (2.2.6)?

Figure 49Cross-reference of Importance to the Strategy and Strategic Fit

Sum of good and very good
73%

50%

25%

Not sure

Quite important

Very important

Observation: As the importance of IT to the strategy increases, so too does the fit between the IT plan
and the business strategy.
38

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

2.7.4

Have you implemented, are you in the process of implementing or are you considering
implementing business measurement projects such as balanced scorecards or dashboards
as part of your management reporting practices (2.6.1)?
AND
How would you describe the fit between your IT plan and your organisations overall
business strategy (2.2.6)?

Figure 50Cross-reference of Measurement and Strategic Fit

71%

Yes

No

46%
37%

23%
13%

1%

4%

2%

Very poor

Poor

Average

Good

Observation: Those who measure progress or performance toward better IT governance experience a better
fit between the IT plan and overall business strategy.
2.7.5

How would you rate your organisations maturity level on IT governance (2.6.3)?
AND
In the past 12 months has the situation regarding IT staffing problems improved (figure 18)?

Figure 51Cross-reference of IT Governance Maturity Level and IT Staffing

Improved

64%
54%

46%

32%

19%

Non-existent

Initial/ad hoc

Repeatable/
intuitive

Defined
process

Managed and
measurable

Observation: As the IT governance maturity of an organisation increases, the IT staffing problem improves.
I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

39

40

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

3. COBIT User Sample Survey

3.1

Introduction

This section of the report contains a selection of detailed answers to the COBIT-related questions asked
exclusively of ITGIs COBIT user sample. For each question, the following information is included:
The overall results of the COBIT sample, i.e., the results of the whole sample without any geographical,
industry or any other breakdown
A comparison with the overall results of the larger survey (or with those from it who indicated they use
COBIT, depending on the question)

3.2

Awareness, Use and Perceptions of COBIT

3.2.1

If you are personally aware of the existence of COBIT, are you personally aware of the
contents of COBIT?

Figure 52Personal Awareness of Contents of COBIT

COBIT sample

Main sample

92%

55%
42%

9%

Yes

No

(Based on 67 respondents of the COBIT sample)

Observation: Almost all of the participants of the COBIT sample are aware of the contents of COBIT, as
opposed to slightly more than half of the main sample.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

41

3.2.2

If you are aware of the existence and the contents of COBIT, to what extent are you
aware of its contents?

Figure 53Extent of Personal Awareness of Contents of COBIT

COBIT sample

Main sample
66%

59%
41%
34%

To a large extent

To some extent

(Based on 61 respondents of the COBIT sample)

Observation: A more profound knowledge of COBIT exists amongst the COBIT sample, probably because
those respondents have been using it for a longer time.
3.2.3

How easy or difficult has it been for you to implement the COBIT framework or part of
the COBIT framework?

Figure 54Difficulty in Implementing COBIT

COBIT sample

Main sample

38%
31%

13%

31%

32%

14%

12%
7%

9%

7%

7%
4%

Very difficult

Somewhat
difficult

Neither difficult
nor easy

Somewhat
easy

Very easy

Do not
know

(Based on 45 respondents of the COBIT sample)

Observation: Implementation of the COBIT framework is experienced as significantly more difficult by

the COBIT sample than by the COBIT users in the main sample. This finding is in line with the trend noted
earlier: as users work with COBIT, they become more aware of the level of effort involved in its
implementation. Most likely, the COBIT sample respondents are farther down this path and are therefore
more aware of the effort required.

42

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

3.2.4

To what extent could or do the contents and structure of the COBIT framework allow you to
help implement effective IT governance practices in your organisation?

Figure 55COBITs Support in Implementing IT Governance Practices

COBIT sample

Main sample
49%

49%

44%

2%

4%

Do not know

4%

44%

3%

Not al all

To some extent

To a large extent

(Based on 45 respondents of the COBIT sample)

Observation: In the COBIT sample, as in the general sample, the majority of the participants believe that the
COBIT framework helps them implement effective IT governance practices in their organisation. The COBIT
samples greater familiarity with COBIT translates to greater confidence in its ability to help them implement
effective IT governance.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

43

44

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

4. Conclusions
4.1

Funnel Analysis

As part of the analysis of the statistics generated in this research, a funnel analysis was performed on the
survey results (figure 56). The funnel analysis reveals that most IT users are aware of the many problems
inherent in the use of IT and the need to do something about them. An even larger part of the IT user
community recognises IT governance as a solution to these problems or as a practice they should undertake.
Of the group that does not recognise IT governance as a solution, about 80 percent are performing a number
of actions that in fact could be classified as IT governance. Almost all organisations that recognise the concept
of IT governance know at least one potential solution or framework to use. Of those who know at least one
IT governance solution, about 23 percent are aware of ITGI/ISACA as solution provider, and, from this
group, about 50 percent are actually using COBIT. This number represents some 8 percent of the overall
IT user community.

Figure 56Results of Funnel Analysis

100

82

79

65
30

IT user
community

Justification

Awareness
of IT-related
problems

21 percent of all
respondents
reported no
problems with IT,
so 79 percent
do experience
problems.

Recognition
that IT
governance
is the
solution

58 percent of all
respondents
are at least
considering
IT governance
implementations.
Of the remaining
42 percent, a good
share (60 percent)
are at least
planning actions
that can be
considered partial
IT governance
solutions,
bringing the
total percentage
of those who
recognise
IT governance
concepts as good
solutions to
82 percent.

Knowledge
of potential
IT governance
solution
providers

35 percent of the
random sample
answered that
they are not aware
of any potential
solution provider
for IT governance,
so 65 percent are
aware of at least
one potential
solution.

Aware of the
ITGI/ISACA
brands as IT
governance
solutions

24 percent of the
respondents in the
random sample
are aware of ITGI
and/or ISACA as
potential solution
providers. Further
analysis showes
that the total
percentage of
respondents
knowing at least
one of the two
is 25 percent.

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

User of
COBIT

9 percent of the
random sample
responded that
they are using
COBIT. Also, of
all those who
know
ITGI and/or ISACA
as potential
solution providers
(25 percent of
random sample),
30 percent
reported to be
using their solution
(i.e., COBIT), which
confirms the
number above.

45

46

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

5. Appendix
5.1

Compound Problem Index

CPI can be calculated as the percentage of participants that have experienced the problem (figure 16),
multiplied by the seriousness of the problem, on a scale of 0 to 3 (figure 17), and the importance of
addressing the problem in the next 12 months, on a scale of 0 to 5 (figure 19). This total is then divided by the
evolution of the problem in the last 12 months, on a scale of -1 to +1 (figure 18).
CPI = % of participants x seriousness of the problem x future of the problem
evolution of the problem
For example, CPI of IT staffing = (34,6 percent of the participants encountered IT staffing problems in the last
12 months x 1,98 for seriousness x 3,97 for the importance of addressing the problem)/2,32 for evolution in
the last year = 117.

5.2

Highlights of Most Important Findings From Large Geographic Areas

The three countries with the most respondents in this survey were India, Japan and the US. Their results were
compared with the global averages. The most significant observations resulting from this comparison were:
IT is deemed very important for overall strategy delivery by 84 percent of respondents in India, compared to
57 percent worldwide.
In Japan, IT is not very often discussed at the board level: only 26 percent of respondents indicated that IT is
discussed regularly (or more often) by the board, compared to 63 percent worldwide.
When addressing how IT has helped achieve several information criteria, the responses from India are
generally 0.35 points higher than average (on a scale of 1 to 5) and those from Japan 0.35 lower.
Communication between IT and the board about IT matters is a much more formalised and regular process in
India (91 percent) compared to the worldwide average of 54 percent.
The overall assessment of the effectiveness of communication between IT and the rest of the business is very
low in Japan (3.2) compared to India (4.5) and to the worldwide average (3.8).
The US seems to suffer less from security- and privacy-related IT incidents (15 percent) compared to the
worldwide average of 25 percent and especially compared to Japan (36 percent) and India (33 percent).
In India there is little disconnect between IT and business strategy (11 percent), compared to a global average
of 29 percent.
The US has a rather negative view of the possible benefits of IT outsourcing: 45 percent believe outsourcing
will not be effective in solving IT-related problems (compared to a 30 percent average worldwide).
Awareness of the existence of ITGI is lower in Asia-Pacific (8 percent) than the worldwide average of 22
percent, and it is higher in the US (34 percent).

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6

47

6. Table of Figures
Page Number
Figure 1Size and Geographic Distribution of the Sample ........................................................................7
Figure 2Participation by Industry Sector...................................................................................................8
Figure 3Organisation Size .........................................................................................................................8
Figure 4Job Function .................................................................................................................................9
Figure 5Importance of IT for Overall Strategy .......................................................................................11
Figure 6Importance of IT for Overall Strategy, by Industry Sector........................................................12
Figure 7Importance of IT for Overall Strategy, by Job Function............................................................12
Figure 8Frequency of IT on Board Agenda.............................................................................................13
Figure 9Frequency of IT on Board Agenda, by Industry Sector.............................................................13
Figure 10IT Investments Outcome ..........................................................................................................14
Figure 11Communication From IT to the Business ................................................................................15
Figure 12IT Departments Understanding of Business User Needs........................................................15
Figure 13IT Departments Understanding of Business User Needs, by Job Function............................16
Figure 14Fit Between IT Plan and Business Strategy, by Job Function .................................................16
Figure 15IT-related Problems in Last 12 Months (CPI)..........................................................................17
Figure 16IT-related Problems in Last 12 Months....................................................................................18
Figure 17Problem Severity ......................................................................................................................19
Figure 18Evolution of the Problems........................................................................................................19
Figure 19Importance of Addressing the Problems ..................................................................................20
Figure 20Effectiveness High-level Measures ..........................................................................................20
Figure 21Effectiveness of IT Outsourcing, by Job Function ..................................................................21
Figure 22IT Governance Practices ..........................................................................................................21
Figure 23Recognised IT Governance Providers ......................................................................................22
Figure 24Expertise of IT Governance Providers .....................................................................................23
Figure 25Implementation Ability of IT Governance Providers...............................................................23
Figure 26Overall Capability of IT Governance Providers ......................................................................24
Figure 27IT Governance Implementation Status.....................................................................................25
Figure 28IT Governance Implementation Status, by Industry Sector.....................................................26
Figure 29Implementation Status of Partial IT Governance Measures ....................................................26
Figure 30Selected IT Governance Frameworks ......................................................................................27
Figure 31Personal Awareness of Existence of COBIT .............................................................................28
Figure 32Personal Awareness of Existence of COBIT, by Geographic Area ...........................................28
Figure 33Personal Awareness of Existence of COBIT, by Organisation Size ..........................................29
Figure 34Personal Awareness of Contents of COBIT ..............................................................................29
Figure 35Extent of Personal Awareness of Contents of COBIT ..............................................................30
Figure 36Use of COBIT Within Organisations Aware of COBIT .............................................................30
Figure 37Use of Portions of COBIT ........................................................................................................31
Figure 38Difficulty in Implementing COBIT ..........................................................................................32
Figure 39Value of COBIT for IT Governance Efforts ..............................................................................32
Figure 40Regulation and COBIT Use.......................................................................................................33
Figure 41Regulation and COBIT Use, by Geographic Area ....................................................................33
Figure 42Implementation of Business Measurement Projects ................................................................34
Figure 43Implementation of Business Measurement Projects, by Industry Sector ................................34
Figure 44Value of IT ...............................................................................................................................35
Figure 45Maturity Level of IT Governance ............................................................................................35
Figure 46Responsibility for IT Governance ............................................................................................36
Figure 47Cross-reference of Measurement and Importance ...................................................................37
Figure 48Cross-reference of IT Governance Maturity Level and IT Investments ..................................38
Figure 49Cross-reference of Importance to the Strategy and Strategic Fit.............................................38
Figure 50Cross-reference of Measurement and Strategic Fit..................................................................39
Figure 51Cross-reference of IT Governance Maturity Level and IT Staffing ........................................39
Figure 52Personal Awareness of Contents of COBIT ..............................................................................41
Figure 53Extent of Personal Awareness of Contents of COBIT ..............................................................42
Figure 54Difficulty in Implementing COBIT...........................................................................................42
Figure 55COBITs Support in Implementing IT Governance Practices ...................................................43
Figure 56Results of Funnel Analysis.......................................................................................................45
48

I T G O V E R N A N C E G L O B A L S TAT U S R E P O RT 2 0 0 6