Computers in Human Behavior 32 (2014) 261–267

Contents lists available at ScienceDirect

Computers in Human Behavior

journal homepage: www.elsevier.com/locate/comphumbeh

Assessment of IT governance in organizations: A simple integrated

approach
Hesham Bin-Abbas a, Saad Haj Bakry b,⇑
a
King Abdulaziz City for Science and Technology, Riyadh, Saudi Arabia
b
Department of Computer Engineering, College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia

a r t i c l e i n f o a b s t r a c t

Article history: There are various methods available for dealing with IT governance. These methods are diversified, and in
some cases lengthy and complicated. This paper is concerned with providing a unified simple approach
for IT governance assessment. The approach is developed and tested through the following three main
Keywords: steps: (1) highlighting the basic requirements of IT governance considering key available methods; (2)
Information Technology (IT) designing the target approach that integrates these requirements and uses knowledge management prin-
IT governance ciples; and (3) illustrating the use of the approach through a typical illustrative application. The approach
ISO recommendations
uses the ‘‘STOPE: Strategy, Technology, Organization, People and Environment’’ view to integrate the
COBIT
ITIL
issues involved, the knowledge management principles as an added value, and the six-sigma phases as
STOPE view a cyclic improvement process. The work provides ‘‘fifty’’ main IT governance controls; and these enable
finding key strengths and weaknesses of IT governance in organizations from which development direc-
tions can be derived. It should be noted that considering knowledge management, and people as a main
domain in the integration view, illustrate special emphasis of the human factor in IT governance.
Ó 2013 Elsevier Ltd. All rights reserved.

1. Introduction The use of IT has proved to deliver various benefits at various

This section provides an entrance to the work presented in this
paper through four main steps. In the first step, it attempts to clar-
ify the confusion between the terms ‘‘IT: Information Technology’’
and ‘‘ICT: Information and Communication Technology’’, and also
to emphasize the importance of IT and ICT use. In the second step
it introduces IT governance as a mean for an efficient and effective
use of IT. In the third step it considers the correlation between the
knowledge management principles and IT use and consequently IT
governance. Finally, in the fourth step, it introduces the work pre-
sented in this paper.
levels including: personal, business, government, and society as a
whole. These benefits have been viewed as consisting of ‘‘five’’
main features. The first is saving time and leading to ‘‘faster’’
achievements; the second is saving cost through ‘‘cheaper’’ busi-
ness activities. The third is providing services with ‘‘better’’ qual-
ity; while the fourth is opening new opportunities by introducing
‘‘different’’ capabilities. The fifth is enhancing trust by providing
new ‘‘security’’ measures that are not feasible without IT. These
benefits are summarized in the abbreviation ‘‘FCBDS’’ (Bakry,
2004).

1.2. IT governance controls

1.1. IT and ICT and their benefits
The terms: ‘‘IT’’ and ‘‘ICT’’ are becoming of interchangeable nat-
ure. The ‘‘ISO: International Standards Organization’’ defines IT, in
its recommended standard (ISO 38500, 2008), as ‘‘resources re-
quired to acquire, process, store and disseminate information’’. It
adds that this includes ‘‘CT: Communication Technology’’ and con-
sequently ICT. Like the ISO standard, this paper will use IT to mean
both IT and CT or ICT.
⇑ Corresponding author.
E-mail addresses: binabbas@isu.net.sa (H. Bin-Abbas), shb@ksu.edu.sa (S.H.
Bakry).
For efficient and effective use of IT, various national and inter-
national organizations have issued a number of documents con-
cerned with providing IT governance recommendations. In this
respect, the key documents among these include: ‘‘COBIT: Control
Objectives for Information and Related Technologies’’ of the Amer-
ican ‘‘Information System Audit and Control Association’’ (Bakry &
Alfantookh, 2006; COBIT 5, 2013); ‘‘ITIL: Information Technology
Infrastructure Library’’ of the British ‘‘OGC: Office of Government
Commerce’’ (Alfantookh & Bakry, 2009; ITIL, 2013); ‘‘ISO 20000’’
standard concerned with IT services management (ISO 20000,
2005); ‘‘ISO 38500’’ standard associated with the principle of IT
governance (ISO 38500, 2008); and ‘‘MIT: Massachusetts Institute

0747-5632/$ - see front matter Ó 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.chb.2013.12.019
262 H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267
of Technology’’ work on IT governance (Weill & Ross, 2004). These
recommendations are useful as references to the assessment of IT
governance in organizations, where the outcomes of such assess-
ments support planning and future improvements.
1.3. Knowledge management and IT use
Knowledge management has been associated with the use of IT
in different fields for two main reasons. On the one hand, the use of
IT supports the effectiveness of the knowledge activities required
by knowledge management including: knowledge production, dif-
fusion and utilization. On the other hand, the use of the knowledge
management principles in IT governance enhances the effective-
ness of IT use (Bin-Abbas & Bakry, 2012). Therefore the knowledge
management principles need to be emphasized in IT governance
for enhanced IT benefits in organizations working in different
fields.
1.4. The presented work
The problem with using the available IT governance recommen-
dations, as assessment references is that they are: diversified; and
in some cases based on lengthy and complicated methods. In addi-
tion, these recommendations do not provide enough attention to
the knowledge management principles. Here therefore comes the
need to unify and simplify IT governance assessments, and also
to enhance such assessments by considering the knowledge man-
agement principles.
This paper provides a new approach that attempts to integrate
the main controls associated with the basic IT governance require-
ments, using the available key recommendations; while also
emphasizing adherence to the knowledge management principles.
This approach would enable finding the key strengths and weak-
nesses of IT governance in organizations, upon which future devel-
opment directions can be derived.
For the development of the target approach, the following
phases have been considered:
 highlighting the basic requirements of IT governance consider-
ing the key available methods and recommendations men-
tioned above;
 designing a simple unified structured assessment framework
that integrates these requirements and considers knowledge
management principles; and
 illustrating the use of the framework through a typical
application.
 The following parts of the paper address each of these phases.
2. Key IT governance methods
The key available IT governance methods mentioned above are
addressed in the following. The basic principles, issues and
requirements of each of these methods are emphasized.
2.1. COBIT
IT governance according to COBIT is concerned with providing
‘‘support to the business requirements’’ of the organization con-
cerned (Bakry & Alfantookh, 2006; COBIT, 2013; ITGI, 2005). COBIT
provides its governance directions according to Schwartz-Deming
process of ‘‘PDCA: Plan, Do, Check, Act’’ (De Feo & Barnard, 2004)
considering the available IT and IT related resources, and empha-
sizing required performance criteria. A general view of COBIT is
presented in Table 1.
2.2. ITIL and ISO 20000
ISO 20000 is concerned with IT service management is a
trimmed version of the British ITIL concerned with IT services in
organizations (Alfantookh & Bakry, 2009; ITIL, 2013; OGC, 2005).
As we are concerned with the basic requirements, ISO 20000 is
emphasized here (ISO 20000, 2005). Its target is to provide ‘‘effec-
tive management and implementation of IT services’’. Like COBIT
its continuous development process is that of Deming’s ‘‘PDCA’’
(De Feo & Barnard, 2004). It associates its governance directions
with the basic needs and management requirements given in
Table 2.
2.3. ISO 38500
ISO 38500 provides guiding principles on ‘‘effective, efficient
and acceptable use of IT’’ (ISO 38500, 2008). These principles
are associated with six basic issues on the one hand, and with
a development process on the other. The basic issues include:
‘‘responsibility, strategy, acquisition, performance, conformance
and human behaviour’’. The development process is not that of
Deming’s five phases considered by the above methods, it
includes instead the three main cyclic phases of ‘‘evaluate,
direct and monitor’’. A general view of the standard is given in
Table 3.
2.4. MIT IT governance method
The IT governance research group of the MIT has published a
book on its work (Weill & Ross, 2004). It considers the work of IT
governance to be ‘‘toward desirable behaviour in the use of IT’’. It
specifies three-phase mechanism for this purpose; and it draws a
framework for the required activities based on the assets of the
organization concerned. It emphasizes decision making concerned
with IT to be based on the level of responsibility on the one hand,
and the IT issues concerned on the other. It considers IT perfor-
mance measures to be associated with IT business support. Table 4
summarizes the principles and requirements of MIT IT governance
views.
3. An integrated simple approach
The target IT governance assessment approach is described be-
low in terms of the following:
 the basic principles upon which the approach is based;
 the assessment method used; and
 the basic IT governance control requirements considered.
3.1. Basic principles
The targeted IT governance assessment approach is based on
the following five main principles:
 Continuous development: responding to change and to rising
issues and opportunities.
 Integration of key requirements: viewing collectively according
to a comprehensive scope the basic generic requirements con-
sidered by the key methods addressed above, while also empha-
sizing human involvement.
 Simplification: emphasizing basic generic requirements, while
leaving details to individual situations.
 Knowledge management: activating the role of knowledge and
supporting knowledge sharing and collective wisdom among
the people involved.
 H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267 263

Table 1
IT governance target, process, resources and criteria (ITGI, 2005).

Target: IT support to business requirements

Process (Deming’s) Resources Criteria
No. Cycle Description
1 Plan Plan and organize  Data  Quality
2 Do Acquire and implement  Application sys  Fiduciary (trust)
3 Check Deliver and support  Technology  Security
4 Act Monitor and evaluate  Facilities
 People

Table 2
IT services management (ISO 20000, 2005).

Target: effective management and implementation of IT services

Process (Deming’s) Basic needs Management requirements
No. Cycle Description
1 Plan Plan service management  Business requirements  Capacity  Configuration
2 Do Implement plan  People satisfaction: customers and IT team.  Continuity  Change
3 Check Monitor, measure and review  Service desk  Reporting  Incidents and other problems
4 Act Continual improvement  Change: new services  Security  Business relationships
 Other related activities  Budgeting and accounting  Suppliers
 Service level  New releases

Table 3
IT governance process and principles (ISO 38500, 2008).

Target: guiding principles on effective, efficient and acceptable use of IT.

Process Basic issues
No. Cycle Description
1 Evaluate IT support to business requirements (operations and projects)  Responsibility: of individuals and groups
2 Direct Make appropriate decisions  Strategy: IT satisfies the strategy of the organization
3 Monitor Current state  Acquisition: of IT for ‘‘valid reasons’’
 Performance: based on supporting the business of the organization
 Conformance: with mandatory legislation and regulations
 Human behaviour: response to the needs of all people in the process

 Assessment measures: translating the basic generic IT gover-
nance requirements into control elements that can be measures
in terms of their importance level on the one hand and imple-
mentation level on the other.
Toward achieving continuous development, the six-sigma
phases of the ‘‘DMAIC: Define, Measure, Analyze, Improve and Con-
trol’’ process (De Feo & Barnard, 2004) have been adopted. It is a
modified version of Deming’s ‘‘PDCA’’ process, and it is widely
advocated for quality management.
The basic generic IT governance requirements have been inte-
grated over the ‘‘STOPE: Strategy, Technology, Organization, People
and Environment’’ essential domains. These domains have previ-
ously been used in various IT investigations (Bakry, 2004). This
integration supports simplification through providing well-struc-
tured IT governance scope. Individual IT situations can use this
general scope as a base for refinement to deal with specific detailed
situations. It should also be noted here that STOPE integration do-
mains include people as a main domain among the other four
domains.
Considering knowledge management to drive IT governance has
the advantage of exploring opportunities and collective wisdom
among people, and lead to high performance. In addition, providing
suitable measures to addressed control requirements help specify-
ing improvement directions. Table 5 summarizes the integrated
simple approach showing: the continuous development process;
the STOPE essential domains; and the basic principles of knowl-
edge management (Bin-Abbas & Bakry, 2012). The measurement
method of the approach is addressed in the following.
3.2. Assessment method
Organizations concerned with the basic IT governance control
requirements can ask two questions on each control element: the
level of importance of the element; and the level of its implemen-
tation. For both questions, five levels have been taken into account.
The mid-level ‘‘level three’’ would represent the average, with two
levels above, and two levels below, as illustrated in Table 6.
Considering knowledge sharing, the two questions concerned
with each issue can be assessed by different people. This would
lead to the need of finding averages for both: the weight and the
implementation, as given in Table 6. In addition, a relative measure
that combines the averages of both: importance and implementa-
tion can be found. This is also illustrated in Table 6, which provides
this relative combined measure as a percentage value.
The above can be applied not only to the basic IT governance
control elements, but also to other possible elements that may
be needed for specific cases. As will be seen below, the IT gover-
nance requirement controls are open to further additional consid-
erations that may be taken into account. This enhances knowledge
sharing and support improvement.
3.3. IT governance controls
Fifty basic IT governance control elements have been mapped
over the STOPE domains; with ten elements per domain. They have
been derived from the key methods addressed above and from
experience. These control elements are identified according to
their domains in Tables 7–11, where each table is concerned with
264 H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267

Table 4
IT governance (Weill and Ross: MIT, 2004).

Target: toward desirable behaviour in the use of IT

Gov. mechanisms Framework Decision making Perform
No. Mechanism Rights Issues
1 Decision making: organization units and Organization strategy  Top managers  Principles business Effective use of IT with
responsibilities  IT specialists role of IT regards to:  Cost
3 Alignment: daily behaviour is consistent Assets:  Physical  Business unit  Architecture IT inte-  Growth
with policies (feed back to decision)  Financial level gration and  Asset use:
 Human resources  Corporate center standards utilization
 Intellectual Property with business  Infrastructure shared  Business
(IP) units and enabling services flexibility
 Relationships: internal/  IT group with a  Business applications
externalBusiness business group  Investment and
performance  Isolated individu- priorities
4 Communication: of policies, decisions and als or small group
outcomes to people concerned

Table 5
IT governance (a STOPE view with six-sigma process).

Target: an integrated view of IT governance

Process (Six Sigma) Scope: STOPE Domains Drive: knowledge management
No. Cycle Description
1 Define Current state  Strategy: IT strategy and its incorporation with the strategy of  Readiness: availability of knowledge
2 Measure Performance: operation and the organization  People’s enthusiasm: toward useful
outcome  Technology: acquiring and operating suitable tech knowledge
3 Analyze Understand: strengths and  Organization: IT effectiveness  People’s attitude: ethics and intelligence
weaknesses  People: concerned at all levels (logic)
4 Improve Operation and outcome  Environment: regulations, practices and relationships  Integration: knowledge activities
5 Control Sustain and prepare for next  Synergy: collective wisdom among people
round (K sharing)
 Application: at all levels
 Means: networking
 Measure: efficiency and quality

Table 6
Assessment method: importance (weight) and implementation level.

Scale for both importance (weight) ‘‘w[i]’’ and implementation level ‘‘g[i]’’
Poor/low Below average Average Above average Good/high
1 2 3 4 5
Average weight of a control element [i]: for ‘‘K’’ assessments
P
w½i ¼ Kj¼1 w½i; j=K
Average implementation level of a control element [i]: for ‘‘K’’ assessments
PK
g½i ¼ j¼1 g½i; j=K
Collective weighted implementation indicator ‘‘r’’: for ‘‘N’’ elements.
PN PN
r¼f i¼1 w½i  g½i= i¼1 w½i  ð5Þg  100

Table 7
Assessment of IT governance: ‘‘Strategy’’.

[i] Control elements Importance: w[i] Implementation: g[i]

1 2 3 4 5 1 2 3 4 5
1 The organization has ‘‘a documented and communicated IT governance policy’’ 0 0 0 2 5 0 4 2 1 0
2 The policy is associated with the ‘‘business requirements’’ of the organization 0 0 1 3 3 1 2 2 1 1
3 The policy sets-up ‘‘technology standards’’ for required services 0 1 0 2 4 1 1 3 0 2
4 The policy supports the ‘‘utilization and protection of organization’ assets’’ 0 0 1 4 2 1 1 4 0 1
5 The policy specifies the target ‘‘service level’’ of the organization. 0 0 1 2 4 1 1 3 2 0
6 The policy emphasizes ‘‘human resources satisfaction’’ and ‘‘knowledge sharing’’ 0 0 1 2 4 0 3 2 2 0
7 The policy complies with ‘‘legislations’’ at all levels: ‘‘organization, country and global levels’’ 0 0 0 3 4 1 1 1 3 1
8 The policy provides suitable ‘‘rules for directing and controlling’’ IT governance 0 0 1 4 2 3 0 3 1 0
9 The policy addresses cooperation: ‘‘internal and external relationships’’ 1 0 0 2 4 1 3 0 2 1
10 The policy considers effectiveness: ‘‘cost: budgeting versus benefits: deliverables:’’ 1 0 0 3 3 2 1 1 2 1
Other possible elements:
 H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267 265

Table 8
Assessment of IT governance: ‘‘Technology’’.

[i] Control elements Importance: w[i] Implementation: g[i]

1 2 3 4 5 1 2 3 4 5
1 ‘‘Documentation’’ is available of IT and IT related components, operation, projects, and cost 0 0 1 0 6 0 1 3 2 1
2 ‘‘Facilities’’ are suitable for IT that can respond to business requirements 0 0 2 2 3 1 1 3 1 1
3 ‘‘IT infrastructure’’ is suitable for servicing business requirements 0 1 0 0 6 0 2 1 3 1
4 ‘‘Application systems’’ are suitable for servicing business requirements. 0 0 2 1 4 0 1 3 1 2
5 ‘‘Data systems’’ are suitable for servicing business requirements 0 0 2 2 3 0 0 5 0 2
6 ‘‘Integration of services’’ is available: internal level and external level 0 1 0 3 3 0 3 1 3
7 ‘‘Security measures’’ provide suitable protection. 0 0 0 1 6 0 0 0 5 2
8 ‘‘Standards’’ are used for required services: acquiring and operating technology 0 0 3 1 3 0 0 4 1 2
9 ‘‘Help disk’’: existence and performance 0 0 0 2 5 0 0 2 1 4
10 ‘‘Knowledge sharing website’’: existence, and performance 0 0 3 0 4 1 2 3 0 1
Other possible elements:

Table 9
Assessment of IT governance: ‘‘Organization’’.

[i] Control elements Importance: w[i] Implementation: g[i]

1 2 3 4 5 1 2 3 4 5
1 ‘‘Documentation’’ is available of the impact of IT use on business requirements 0 0 1 4 2 1 4 1 1 0
2 IT use supports the ‘‘performance’’ of the organization’ business activities 0 0 0 3 4 1 1 3 2 0
3 IT use supports the ‘‘flexibility’’ of the organization’ business activities 0 0 1 3 3 1 2 2 1 1
4 IT use supports the ‘‘security’’ of the organization’ business activities 0 0 2 3 2 0 2 3 0 2
5 IT use supports the utilization of the organization’ ‘‘physical assets’’. 0 1 1 2 3 0 3 1 2 1
6 IT use supports the utilization of the organization’ ‘‘financial assets’’ 0 0 1 3 3 0 1 3 1 2
7 IT use supports the utilization of the organization’ ‘‘human resources assets’’ 0 0 1 4 2 0 1 3 3 0
8 IT use supports the utilization of the organization’ ‘‘internal relations’’. 0 2 1 2 2 2 3 0 0 2
9 IT use supports the utilization of the organization’ ‘‘external relations’’ 0 0 0 5 2 1 1 4 0 1
10 IT supports ‘‘knowledge sharing’’ and the utilization of ‘‘intellectual assets’’ 0 0 2 3 2 1 2 2 2 0
Other possible elements:

Table 10
Assessment of IT governance: ‘‘People’’.

[i] Control elements Importance: w[i] Implementation: g[i]

1 2 3 4 5 1 2 3 4 5
1 ‘‘Documentation’’ is available of the impact of people on IT governance and use 0 0 1 4 2 2 4 0 1 0
2 ‘‘Awareness level of IT benefits’’ among organization’ decision makers 0 0 0 1 6 1 0 0 3 3
3 ‘‘Awareness level of IT benefits’’ among organization’ non-IT staff: users 0 0 2 3 2 3 0 2 1 1
4 ‘‘Awareness and training courses’’ for decision makers and non-IT staff 0 0 3 2 2 1 2 3 0 1
5 ‘‘Qualification and training’’ of IT staff 0 0 1 0 6 0 0 0 1 6
6 ‘‘Responsibility for decision making’’ is assigned 0 0 0 2 5 0 1 2 3 1
7 ‘‘Job description and responsibility’’ of IT personnel is assigned 0 1 0 2 4 0 2 2 1 2
8 ‘‘IT responsibility’’ of internal IT users is assigned 0 0 1 4 2 0 1 2 2 2
9 ‘‘IT responsibility’’ of external IT users is assigned 0 0 4 1 2 1 3 1 0 2
10 Use of ‘‘knowledge sharing’’ among all people concerned 0 0 0 5 2 0 3 3 0 1
Other possible elements:

one domain. The tables allow grading the importance and the
implementation level of each element. In addition, each table per-
mits adding additional control elements to its domain, so that
knowledge sharing is enhanced. It should be noted that documen-
tation as an important knowledge availability and accumulation is-
sue is emphasized in all domains. In addition, the controls of the
strategy have some similarities with controls of other domains;
and this is due to the fact that strategy seeks development at all
domains.
To enhance the understanding of the approach, an illustrative
application is introduced in the following.
4. An illustrative application
For illustrating the use of the above approach, it has been ap-
plied to the IT governance of a Saudi organization, whose identity
in kept concealed for business reasons. Seven senior staff members
of the IT center of the organization, ‘‘K = 7’’, have assessed all ‘‘50 IT
governance control elements’’ presented in Tables 7–11 according
to STOPE domains. The results of the assessment are given in the
‘‘importance’’ and ‘‘implementation’’ fields of every control ele-
ment in these tables in terms of the number of staff who adopted
a specified level for each field. The averages of the importance
weights and implementation grades of all control elements are
presented in Table 12 according to the five STOPE domains. The
collective weighted implementation indicators for the STOPE do-
mains are also given in the table.
Figs. 1–5 illustrate the results obtained for the control elements
of every STOPE domain; and Fig. 6 shows the results of the overall
weighted implementation indicators of the five STOPE domains.
Various remarks can be derived from these results at the control
element level and at the domain level. These would help specifying
266 H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267

Table 11
Assessment of IT governance: ‘‘Environment’’.

[i] Control elements Importance: w[i] Implementation: g[i]

1 2 3 4 5 1 2 3 4 5
1 ‘‘Documentation’’ is available of the environment issues of IT governance and use 0 0 3 1 3 3 2 1 0 1
2 IT governance complies with relevant ‘‘international’’ regulations 0 0 2 3 2 2 2 1 0 2
3 IT governance complies with relevant ‘‘national’’ regulations 0 0 0 4 3 1 1 0 2 3
4 IT governance complies with relevant ‘‘organization’’ regulations. 0 0 1 3 3 0 0 3 0 4
5 IT governance complies with ‘‘its own’’ policy regulations 0 1 2 1 3 0 1 2 3 1
6 IT governance complies with relevant ‘‘agreements’’ (contracts) 0 0 1 3 3 1 1 2 0 3
7 IT governance provides ‘‘incentives’’ for IT utilization and good practice. 0 0 1 4 2 1 1 3 2 0
8 IT governance ensures ‘‘secure’’ environment for IT activities 0 0 0 2 5 0 1 1 3 2
9 IT governance responds to problems and enables ‘‘business continuity’’ 0 1 0 3 3 1 1 2 1 2
10 Outcome of ‘‘knowledge sharing’’ is considered for improvement 0 0 1 4 2 2 1 1 3 0
Other possible elements:

Table 12
Assessment results: average weights and grades and indicators.

Strategy Technology Organization People Environment

Con w g Con w g Con w g Con w g Con w g
1 4.71 2.57 1 4.71 3.43 1 4.14 2.29 1 4.14 2 1 4 2.14
2 4.29 2.86 2 4.14 3 2 4.57 2.86 2 4.86 4 2 4 2.71
3 4.29 3.14 3 4.57 3.43 3 4.29 2.86 3 4 2.57 3 4.43 3.71
4 4.14 2.86 4 4.29 3.67 4 4 3.29 4 3.86 2.71 4 4.29 4.14
5 4.43 2.86 5 4.14 3.57 5 4 3.14 5 4.71 4.86 5 3.86 3.57
6 4.43 2.86 6 4.43 3 6 4.71 3.57 6 4.71 3.57 6 4.71 3.43
7 4.57 3.28 7 4.86 4.26 7 4.14 3.29 7 4.29 3.43 7 4.14 2.86
8 4.14 2.29 8 4 3.71 8 3.57 2.57 8 4.14 3.71 8 4.71 3.86
9 4.14 2.86 9 4.71 4.26 9 4.29 2.86 9 3.71 2.86 9 4.14 3.29
10 4 2.86 10 4.14 2.71 10 4 3 10 4.26 2.86 10 4.14 2.71
‘‘S’’ Indicator ‘‘T’’ Indicator ‘‘O’’ Indicator ‘‘P’’ Indicator ‘‘E’’ Indicator
56.92% 70.42% 59.66% 66.09% 65.25%

Fig. 3. Assessment of IT governance controls: Organization.

Fig. 1. Assessment of IT governance controls: Strategy.

Fig. 2. Assessment of IT governance controls: Technology. Fig. 4. Assessment of IT governance controls: People.
 H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267
Fig. 5. Assessment of requirement controls: Environment.
Fig. 6. IT governance performance (%): a STOPE view.
what need to be done for the improvement of the current state of
IT governance in the organization concerned. As an example, here
are some useful observations.
 The given average importance weights of all control elements
range between ‘‘3.57’’ and ‘‘4.86’’ out of ‘‘5’’; while the given
average implementation grades of all control elements range
between ‘‘2’’ and ‘‘3.71’’ out of ‘‘5’’. This shows that a gap is felt
by the IT staff of the organization between what is seen as
important in IT governance and what is actually implemented.
 Best match between importance and implementation exists in
the control elements of ‘‘qualification and training of IT staff’’,
which is associated with the ‘‘people’’ domain, and of ‘‘IT gover-
nance compliance with relevant organization regulations’’ of
the ‘‘environment’’ domain.
 The IT governance control element associated with ‘‘documen-
tation’’ seems to have a mismatch problem between its impor-
tance and its implementation in all domains except for the
‘‘technology’’ domain.
 At the domain level, ‘‘strategy’’ has least score, while ‘‘technol-
ogy’’ has the highest score, which is only around ‘‘70%’’.
267
5. Conclusions
The work presented in this paper has produced a simple ap-
proach that can be used as a tool for the assessment of IT gover-
nance in organizations, in order to guide development directions.
The approach is distinguished for its integration of the basic
requirements of key IT governance method, its consideration of
six-sigma phases for continuous development and responsiveness,
and its emphasis of knowledge management and sharing. The
developed approach provides ‘‘fifty’’ main IT governance control
elements structured over the STOPE domains. It should be noted
here that work has given special attention to the human factor in
IT governance through two main considerations. The first is the
consideration of knowledge management which is directly associ-
ated with human behavior; and the second is the consideration of a
separate domain for people among the five main domains of the IT
governance scope considered.
An application of the approach has been presented for the pur-
pose of illustrating its use. Although the approach emphasizes key
control elements associated with the basic IT governance require-
ments, it considers flexibility in responding to individual require-
ments and adding further control elements wherever needed.
References
Alfantookh, A., & Bakry, S. H. (2009). IT governance practices: ITIL. Saudi Computer
Journal: Applied Computing and Informatics, 7(1), 56–65.
Bakry, S. H. (2004). Development of e-government: A STOPE view. International
Journal of Network Management, 14(5), 339–350.
Bakry, S. H., & Alfantookh, A. (2006). IT governance practices: COBIT. Saudi Computer
Journal: Applied Computing and Informatics, 5(2), 53–61.
Bin-Abbas, H., & Bakry, S. H. (2012). Knowledge management: An instrument for
building the knowledge society. International Journal of Knowledge Society
Research (IGI Publishing, USA), 3(3), 58–67.
COBIT 5 (2013): A business framework for the governance and management of
enterprise IT. Information System Audit and Control Association. <http://
www.isaca.org/cobit>.
De Feo, J. A., & Barnard, W. W. (2004). Juran Institute’s six sigma breakthrough and
Beyond: Quality performance breakthrough methods. New York: McGraw-Hill.
ISO/IEC 20000 (2005): International standards organization/international electro-
technical commission. Information Technology-Service Management, Geneva
20, Switzerland.
ISO/IEC 38500 (2008). International standards organization/international electro-
technical commission, Corporate Governance of Information Technology,
Geneva 20, Switzerland.
ITGI (2005). Information Technology Governance Institute COBIT (Control
Objectives for Information and Related Technologies) 4: Control objectives,
management guidelines and maturity models. Rolling Meadows, Illinois, USA,
2005.
ITIL (2013). Information Technology Infrastructure Library, the British Office of
Government Commerce. <www.itil.org>.
OGC (2005). Office of government commerce, best practices: Introduction to ITIL,
The Stationary Office, UK, December 2005.
Weill, P., & Ross, J. W. (2004). IT governance: How top performers manage IT decision
rights for superior results. Boston, Massachusetts, USA: Harvard Business School
Press.