Chapter 68 Assessing the Maturity of Control Objectives for Information and Related Technology (COBIT) Framework in the Egyptian Banking Sector
Hisham M. Abdelsalam
Cairo University, Egypt
Ahmed M Marzouk
IBM Egypt, Egypt
Haitham S. Hamza
Cairo University, Egypt
ABSTRACT
Banking sector in Egypt is one of the largest business sectors in terms of contributing to country economic growth and in terms of investing in information technology (IT).
Thus, implementing a good Information Technology (IT) governance framework inside Egyptian banks is a rather critical issue. The purpose of this chapter is to assess the importance and the implementation of Control Objectives for Information and Related Technology (COBIT) high level processes in the Egyptian banking sector. A total of 25 working banks in Egypt which are registered in the Central Bank of Egypt (CBE) from (public sector, private and joint venture and foreign) banks were interviewed in a series of one-to-one interviews. The results of this study showed that although the majority of interviewed Chief Information Officer (CIO), IT Managers, IT Auditors and others perceived the importance of COBIT high level processes in their organizations, the majority of the Egyptian banks have a below average maturity level for most of the COBIT processes.DOI: 10.4018∕978-1-4666-6268-1.ch068
.
INTRODUCTION
Information systems do not exist in isolation. Clearly, they are developed and operate within an environmental - most commonly business - context that has a significant effect on them. This environment is increasingly complex and dynamic. But, few organizations have realized the full potential of their information assets, although most consider their information to be essential to the operation. So, as Information Technology (IT), in general, contributes a larger and more noticeable role in driving business success, senior executives are under mounting pressure to clearly demonstrate the business value of IT, and to prove that IT investments can generate a positive return while supporting business objectives (Sarvanan and Kohli, 2000 ).
Despite of a lot of talk about business alignment of ICT, a permanent link between the mandates of business and IT management remains yet to be established, even in organizations well aware of their information management and the business alignment issue (Pulkkinen and Hirvonen, 2005).The past few years witnessed an increased attention to many standards and worldwide accepted frameworks that support the assessment and the implementation of IT governance in various organizations. These include:
1. Control Objectives for Information and Related Technology (COBIT) with a focus on the IT processes in organizations;
2. Information Technology Infrastructure Library (ITIL) with a focus on IT service management; and
3. ISO/IEC 17799:2000 which is an information security standard.
The objectives, the scope, and the structure of each framework vary considerably. But, these all aim toward - or can be used for - improving IT governance in organizations.
Corporate governance is “a general term that is defined as “the system by which companies are directed and controlled” (Cadbury Report, 1992). Among the various aspects of corporate governance, IT governance is the one responsible for guaranteeing the effective alignment between use of (and investments in) IT and organization’s business objectives. IT governance is, thus, a subset regulation of Corporate Governance (Dellit, 2002; Hamaker, 2003), which is focused on IT systems and their performance and risk management and it has developed into a discipline of its own. IT governance provides “specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT,” (Weill and Ross, 2004) and is “an integral part of enterprise governance and consists of the leadership and organizational structures and processes to ensure that the organization sustains and extends its strategy and objectives.” (ITGI, 2000)
The value of IT governance to corporate governance has raised based on the understanding that the most important IT issues in the near future are not technology-related, but governance-related (Guldentops 2002), IT governance is the capability of organization’s senior management to direct, measure and evaluate the use of IT resources to support the achievement of the organization’s strategic goals (Gray, 2004).
The primary goal for IT governance is to (1) ensure that the money invested in IT would be able to produce the expected business value, and (2) ensure the risks associated with IT are well mitigated (Williams, 2006). Good IT governance system can help organizations manage their IT internal and external costs by running efficient IT processes, aligning these processes with business objectives, introducing needed control and monitoring these processes to provide better visibility and feedback over IT (Gray, 2004).
Among various IT governance frameworks and standards, COBIT has shown as a strong and powerful framework and has been used increasingly by many organizations in public and private sectors throughout the world. COBIT was developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992. The first edition of COBIT was published in 1996, COBIT was intended to serve as an IT process and control framework linking IT to business requirements, the 2nd edition was published in 1998. Since then, COBIT is being used as a framework for IT governance, providing management tools such as metrics and maturity models to complement the control framework.
The third version was released in 2000. In this edition, COBIT has been focused on IT governance because management guidelines were added to it. Since its original release, COBIT was enhanced with emerging international technical, professional, regulatory and industry-specific standards. In 2005, the 4th version of COBIT has released. And in May 2007, the IT Governance Institute (ITGI) has released an incremental update 4.1 of the COBIT, which has transitioned from an IT tool to an IT governance framework. The main changes introduced with COBIT 4.1 included streamlined control objectives, streamlined application controls, improved process controls, and an enhanced explanation of performance measurement.
COBIT is a comprehensive framework of 34 control objectives (high-level processes) divided into four categories which are: Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS) and Monitor and Evaluate (ME).
The 34 high-level processes are linked to 318 tasks and activities to define an internal control framework that is powerful for communicating effectiveness and value to the business.The COBIT framework was created with the main characteristics of being business-focused, process-oriented, controls-based and measurement-driven. To satisfy business objectives, information needs to conform to some control criteria, which COBIT refers to as business requirements for information, control criteria. These are: effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability. While these criteria provide generic business requirements, COBIT defines a set of generic business and IT goals to offer a business-related and more refined basis for establishing business requirements and developing the metrics that identifies the performance of the seven information criteria; as well as which of the IT resources (people, applications, technology, facilities and data).
For the management and control over IT processes in the organization, COBIT defines six maturity levels of these processes:
0. Non-Existent: Management processes are not applied at all.
1. Initial: Processes are adhoc and disorganized.
2. Repeatable: Processes follow a regular pattern.
3. Defined: Processes are documented and communicated.
4. Managed: Processes are monitored and measured.
5. Optimized: Good practices are followed and automated.
Maturity levels are not designed for use as a threshold model, where one cannot move to the next higher level without having fulfilled all conditions of the lower level, but rather as a means to identify where issues are and how to set priorities for enhancements.
B anking sector is one of the maj or contributors to Egypt economic growth, and it is one of the largest sectors in investing in information technology. Investing in IT should add value to business and this is where IT governance importance came into view.
COBIT is one of the important and famous IT governance frameworks today. The current research aims to assess the implementation of the Control Objectives for Information and Related Technology (COBIT) high-level processes in Egyptian banking sector and therefore to better understand the IT governance performance and importance in this sector.Following the introduction section, the rest of this book chapter is organized as follows. Section 2 provide a review on related research work on IT governance and COBIT in particular, followed by a brief introduction to the context (Egyptian banking sector) in Section 3. Objectives, data collection, and analyses methods are provided in Section 3, while detailed results and discussions are presented in Section 4. Finally, conclusions are given in Section 5.
LITERATURE REVIEW
Although IT governance in general and COBIT in particular is a hot topic at the present time because of the continuous raise of the governance awareness and importance, there are no many published studies and researches about it (Ridley et al., 2004; Williams, 2006).
Sohal and Fitzpatrick (2002) investigated the IT governance and management of information in Australian organizations using a questionnaire survey that was mailed to the most senior IT officer within the organization. The respondents were categorized into three groups based on the intensity with which the company uses information, namely high tier, medium tier and low tier industries. The findings showed some interesting differences among the three groups regarding the measurement and accountability of IT delivery. The majority of senior IT executives surveyed believed it was imperative that their organizations addressed aligning their IT with their business strategy in the near future. Hadden (2002) studied the role of audit committees in monitoring IT risks. Their instrument was developed from the 34 high-level control objectives identified in the COBIT model and the results of the study showed that audit committee oversight assessments were partially affected by prior COBIT experience.
The IT Governance Institute (ITGI) had a study that covered 335 Chief Executive Officers (CEOs) and Chief Information Officers (CIOs) in 21 countries. It was reported that while more than (91%) of executives recognise that IT is vital to their business success, more than two-thirds of CEOs were not comfortable answering questions about governance and control over their IT processes. The paper validates that the major problem continues to be “the inadequate view of how well IT is performing” (Son et al., 2005). Another study by ITGI for the entities currently using COBIT revealed that 75% of these researched entities found COBIT somewhat useful or very useful, and 15% were unsure and fewer than 10% showed a negative response. The main negative problem identified by the respondents was the perceived complexity of the framework (Williams, 2006).
The role of information technology (IT) governance in corporate strategy was discussed in Brown (2006). The study examined the four elements of IT governance, including value delivery, managing risk, maintaining accountability, and measurement of on-going programs and activities. This research showed that management’ commitment and involvement with IT development at the senior management level, the IT management level, and the project management level significantly enhances the probability of success.
Luthy and Forcht (2006) compared COBIT and COSO in their study for the purpose of compliance with rules and regulations. The results of the comparison showed that both COSO and COBIT take an organization-wide view. However, COBIT only considers an organization-wide view to the extent of ensuring that IT governance is aligned with overall business objectives and organization governance. COBIT also provides very detailed IT control suggestions within its presentation of detailed control objectives. The study also concluded that COSO on its own might not provide sufficient guidance for organizations and auditors as they consider compliance with laws and regulations. The study also suggested that it might be useful, if not needed, to use more than one framework for assessing compliance with rules and regulations.
The factors influencing the IT governance effectiveness in an organization has been studied by Bowen et al. (2007). This study addresses the gap that exists between theoretical frameworks, prior empirical research, and contemporary practices on effective IT governance. Tuttle and Vandervelde (2007) studied internal consistency of the conceptual model that lies beneath the COBIT internal control framework as it applies to an audit setting (including operational, compliance, and financial audit settings). The study studied the auditor perceptions of audit risks. From a practical standpoint, the results of this study suggested that it is very important and potentially very useful for the audit profession to seek academic examination of its practices. The findings suggest that the COBIT framework is significantly related to overall risk assessments of the COBIT processes for which they are associated. The results should give auditors and policy-makers assurance that COBIT is an appropriate supplement to COSO in an IT setting.
Abu-Musa (2008) researched the importance and implementation of the COBIT processes in Saudi organizations. The study showed that the majority of respondents perceive the importance of the COBIT processes and domains, but a lower percentage believe that such processes are adequately implemented in their organizations. It is observed that banks, financial institutions, and service organizations show more concern and application of COBIT processes compared with other organizations. The results also showed that IT specialists, internal auditors, and executive managers perceive and appreciate the importance of COBIT processes more than the others.
In Egypt, El-Morshedy (2008) developed a framework that enables effective and efficient application of the COBIT within audit and assessment activities. The proposed framework integrates four methodologies which they are:
1. Soft Systems Methodology (SSM),
2. Viable System Model (VSM),
3. Balanced Scorecard (BSC), and
4. Quality Function Deployment (QFD).
CONTEXT: EGYPTIAN BANKING SECTOR
The banking sector in Egypt is among the oldest and largest in the region. It has gone through many stages since the establishment of the first bank in 1856, followed by the emerging private sector and joint venture banks during the period of the Open Door policy in the 1970s (Egypt State Information Service, 2009). In June 1998, major amendments to the B anking Law, which permitted private ownership in public banks were approved by the Parliament.
Later in the nineties, as part of Egypt’s economic and financial reform program, the banking sector has been undergoing reforms, privatization, mergers and acquisitions and was completely liberalized. The goal of this banking reform was creating an efficient banking sector which offers better quality services. The reform program was mainly based on promoting transparency and use of adequate accounting and supervision standards. According to the law, banks are required to publish their financial statements on quarterly basis in compliance with the International Accounting Standards (IAS). Also, the Law requires all banks to be audited by two different independent auditors, with auditors changing every two years.
Banks are supervised by the Banking Control Department of the Central Bank of Egypt (CBE), which has made considerable progress in developing its supervisory framework and staff using materials, procedures, and techniques obtained from other countries’ supervisory systems. According to the Financial Sector Assessment Program (FSAP) report of 2003, CBE complied with most of the Basel Core Principles for Effective Banking Supervision.
Based on central bank of Egypt reports, Egyptian banking sector currently consists of thirty nine banks composed from (5) five public sector banks, (27) twenty seven private and joint venture banks and (7) seven branches of foreign banks.
Many Egyptian banks are making huge investments in technology to maintain and upgrade their infrastructure, not only to provide new electronic information-based services, but also to manage their risk positions and pricing. At the same time, new off-the-shelf electronic services, such as on-line retail banking, are making it possible for very small institutions to take advantage of new technologies at quite reasonable costs. These developments might in the end change the competitive landscape in financial services in ways that we cannot predict today.
More than other industries, financial institutions rely on gathering, processing, analyzing, and providing information to meet their customers’ needs. Given the importance of information in banking, it is not surprising that Egyptian banks were among the earliest adopters of automated information processing technology. Leveraging information technology assets can help institutions manage risks more efficiently, as outlined by Basel II. The financial sector will, therefore, rely significantly on IT service providers to provide a more coherent architecture for process automation, integration, and cost reduction mechanisms.
The IT Governance Institute, US (Pathak, 2005), outlines 11 potential business drivers for COBIT adaptation. Among these, four drivers would be the reason behind potential interest of the Egyptian banking sector in COBIT. These are;
1. There is a need for IT governance;
2. Mergers and acquisitions are taking place;
3. A considerable part of the IT function is outsourced; and
4. Compliance with external requirements is of concern.
CBE has directed banks to start building their own internal rating systems in preparation for Basel II (Egyptian B anking Sector Reform Policy: Areas of Future Actions, 2003).
RESEARCH METHODOLOGY
Objectives
This paper intends to explore the current status of COBIT practice in the Egyptian banking sector. More specifically, the paper attempts to:
1. Assess how the importance of COBIT high- level processes are perceived;
2. Measure the extent to which these processes are performed;
3. Examine whether any significant differences among respondent groups regarding their perception of the importance of COBIT high-level processes; and
4. Examine whether any significant differences among respondent groups regarding the implementation of these processes.
Three variables will be considered as moderating ones, these are: bank type, familiarity of IT governance inside the bank, and the number of IT employees. In Egypt, there exists three types of banks; public sector, private and joint venture, and branch of foreign banks.
Data Collection and Analysis
In this research, a questionnaire was developed to assess and evaluate the importance and implementation of Control Objectives for Information and Related Technology (COBIT) high-level processes in the Egyptian banking sector. The questionnaire was developed based on the COBIT standard domains and 34 high-level processes which were introduced in COBIT 4.1 edition. The questionnaire was pre-tested on selected sample of Egyptian banks (2 public sector banks and 3 private and joint venture banks). Comments and suggestions were considered in the development and revision of the final questionnaire version.
A series of sixty one-to-one interviews with managerial levels in the IT departments of the Egyptian banks have been conducted in order to collect questionnaire data and to correctly assess the implementation of the COBIT high-level processes inside the Egyptian banks. The managerial levels involved in these one-to-one meeting included IT CIOs, IT Directors, IT Managers, IT Project Managers, IT Quality Assurance Managers, IT Governance Managers and IT Auditors.
The questionnaire consisted of three main sections: demographic data, questions regarding the importance of COBIT high level processes, and questions regarding the maturity if these processes. While the importance of different processes represents how such importance is perceived in different banks, maturity assessment was conducted by the researchers and included examination of related evidences of IT governance practice.
In this research, the sample unit is a ‘bank.’ A total of 25 banks from the 39 registered banks in Central B ank of Egypt (public sector, j oint venture and foreign) have been interviewed and included in the research sample representing 64% of banks.
The collected data were processed using the Statistical Package for Social Sciences (SPSS) version 16. Descriptive statistics of the collected data were analyzed for the purpose of understanding the main characteristics of the research variables. To investigate the significant differences among independent groups of respondents related to the investigated COBIT’s processes, two non-parametric tests (Kruskal-Wallis and Mann-Whitney-Wilcoxon) were used.
RESULTS AND DISCUSSION
Sample Characteristics
The research sample, as Table 1 depicts, was stratified as following: (1) three public sector banks out of 5 working public sector banks (60%) registered in Central Bank of Egypt (CBE); (2) four foreign banks out of 7 working foreign banks (57%) registered in CBE, and (3) eighteen private banks out of 27 working private banks (66.7%) registered in CBE.
Importance of COBIT High- Level Processes
Overall
Table 2 provides summary statistics of how the respondents perceived the importance of various COBIT high level processes. Generally, as the Table shows, the majority of these processes (33 out of 34) were seen as above ‘medium’ importance with a tendency towards ‘important’ and ‘critical’; 12 process were seen as ‘important’ and ‘critical.’ This can be further illustrated with Figure
Table 1. Research sample
| Type of Bank | Population | Respondents | Respondents % to Total Sample | Respondents % to Total Population |
| Public Sector Banks | 5 | 3 | 12 % | 7.7 % |
| Private and Joint Venture Banks | 27 | 18 | 72 % | 46 % |
| Branches of Foreign Banks | 7 | 4 | 16 % | 10.3 % |
| Total | 25 | 39 | 100% | 64 % |
Table 2. Importance of COBIT high-level processes in Egyptian banks: Summary statistics
| COBIT High Level Processes | Importance | ||||||||||
| Not Important | Low Important | Medium | Important | Critical | |||||||
| No. | % | No. | % | No. | % | No. | % | No. | % | ||
| Plan and Organize | PO1 Define a Strategic IT Plan | 0 | 0 | 0 | 0 | 0 | 0 | 13 | 52 | 12 | 48 |
| PO2 Define the Information Architecture | 0 | 0 | 0 | 0 | 0 | 0 | 23 | 92 | 2 | 8 | |
| PO3 Determine Technological Direction | 0 | 0 | 0 | 0 | 1 | 4 | 15 | 60 | 9 | 36 | |
| PO4 Define the IT Processes, Organisation and Relationships | 0 | 0 | 0 | 0 | 1 | 4 | 23 | 92 | 1 | 4 | |
| PO5 Manage the IT Investment | 0 | 0 | 0 | 0 | 2 | 8 | 12 | 48 | 11 | 44 | |
| PO6 Communicate Management Aims and Direction | 0 | 0 | 0 | 0 | 3 | 12 | 20 | 80 | 2 | 8 | |
| PO7 Manage IT Human Resources | 0 | 0 | 0 | 0 | 0 | 0 | 17 | 68 | 8 | 32 | |
| PO8 Manage Quality | 0 | 0 | 0 | 0 | 0 | 0 | 16 | 64 | 9 | 36 | |
| PO9 Assess and Manage IT Risks | 0 | 0 | 0 | 0 | 1 | 4 | 11 | 44 | 13 | 52 | |
| PO10 Manage Projects | 0 | 0 | 0 | 0 | 2 | 8 | 11 | 44 | 12 | 48 | |
| Acquire and Implement | AI1 Identify Automated Solutions | 0 | 0 | 0 | 0 | 1 | 4 | 19 | 76 | 5 | 20 |
| AI2 Acquire and Maintain Application Software | 0 | 0 | 0 | 0 | 0 | 0 | 21 | 84 | 4 | 16 | |
| AI3 Acquire and Maintain Technology Infrastructure | 0 | 0 | 0 | 0 | 0 | 0 | 21 | 84 | 4 | 16 | |
| AI4 Enable Operation and Use | 0 | 0 | 0 | 0 | 1 | 4 | 11 | 44 | 13 | 52 | |
| AI5 Procure IT Resources | 0 | 0 | 0 | 0 | 1 | 4 | 17 | 68 | 7 | 28 | |
| AI6 Manage Changes | 0 | 0 | 0 | 0 | 1 | 4 | 16 | 64 | 8 | 32 | |
| AI7 Install and Accredit Solutions and Changes | 0 | 0 | 0 | 0 | 1 | 4 | 10 | 40 | 14 | 56 | |
| Deliver and Support | DS1 Define and Manage Service Levels | 0 | 0 | 0 | 0 | 9 | 36 | 16 | 64 | 0 | 0 |
| DS2 Manage Third-party Services | 0 | 0 | 0 | 0 | 0 | 0 | 12 | 48 | 13 | 52 | |
| DS3 Manage Performance and Capacity | 0 | 0 | 0 | 0 | 0 | 0 | 22 | 88 | 3 | 12 | |
| DS4 Ensure Continuous Service | 0 | 0 | 0 | 0 | 0 | 0 | 8 | 32 | 17 | 68 | |
| DS5 Ensure Systems Security | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 25 | 100 | |
| DS6 Identify and Allocate Costs | 0 | 0 | 1 | 4 | 13 | 52 | 10 | 40 | 1 | 4 | |
| DS7 Educate and Train Users | 0 | 0 | 1 | 4 | 3 | 12 | 18 | 72 | 3 | 12 | |
| DS8 Manage Service Desk and Incidents | 0 | 0 | 0 | 0 | 1 | 4 | 22 | 88 | 2 | 8 | |
| DS9 Manage the Configuration | 0 | 0 | 0 | 0 | 3 | 12 | 18 | 72 | 4 | 16 | |
| DS10 Manage Problems | 0 | 0 | 0 | 0 | 1 | 4 | 20 | 80 | 4 | 16 | |
| DS11 Manage Data | 0 | 0 | 0 | 0 | 0 | 0 | 3 | 12 | 22 | 88 | |
| DS12 Manage the Physical Environment | 0 | 0 | 0 | 0 | 3 | 12 | 9 | 36 | 13 | 52 | |
| DS13 Manage Operations | 0 | 0 | 0 | 0 | 3 | 12 | 20 | 80 | 2 | 8 | |
| Monitor and Evaluate | ME1 Monitor and Evaluate IT Performance | 0 | 0 | 0 | 0 | 4 | 16 | 14 | 56 | 7 | 28 |
| ME2 Monitor and Evaluate Internal Control | 0 | 0 | 0 | 0 | 0 | 0 | 17 | 68 | 8 | 32 | |
| ME3 Ensure Compliance With External Requirements | 0 | 0 | 0 | 0 | 0 | 0 | 11 | 44 | 14 | 56 | |
| ME4 Provide IT Governance | 0 | 0 | 0 | 0 | 2 | 8 | 22 | 88 | 1 | 4 | |
Figure 1. Importance of COBIT high-level processes in Egyptian banks: Means
1 that provides the average importance of these processes. As shown, all of them are above2.5 (on a 5 point scale). On the domains' level, the four of them; Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate have shown to have the same importance with averages of 3.28, 3.29, 3.21, and 3.2, respectively.
On the processes level, however, Figure 2 depicts that the first three highest processes belong to the Deliver and Support domain while the highest
Figure 2. Importance of COBIT high-level processes in Egyptian banks: Ranked means
ranked Plan and Organize process (PO1) came the 7th followed by PO2. On the other hand, the lowest three processes from the important perspective were also from the Deliver and Support domain. In fact, 5 out of the lowest 10 processes belong to the Deliver and Support domain.
Effect of Moderating Variables
Table 3 illustrates summary statistics of respondents group difference regarding their perception of the importance of the COBIT high-level processes based on three moderating variables; bank type, familiarity of IT governance inside the bank, and the number of IT employees in the bank.
The effect of bank type was tested using Kruskal-Wallis test. The results of the test showed that there are no significant differences among respondent groups regarding their perception of the importance of the COBIT 34 high-level processes based on bank type.
Mann-Whitney test was used to test the effect of the second variable - familiarity of IT governance inside the bank - and as shown in the table, there was a significance difference in five processes (PO10, AI4, AI5, AI7, and DS1) only.
Finally, the effect of the number of IT employees was tested using Kruskal-Wallis test and the results showed no significant differences among respondent groups regarding their perception of the importance of the COB IT high-level processes based on that variable.
Maturity of COBIT High- Level Processes
Overall
Table 4 provides summary statistics of the how mature is the implementation of COBIT 34 high level processes. Overall, as the Table shows, there is a noticeable range of variability in the maturity ofthese processes; from ‘non-existent’ to ‘optimized.’ This variability is further illustrated in Figure 3 that the average maturity of these processes. As shown, average score of process maturity ranges from 1.24 (DS10) to 4.16 (DS6).
On the average, the Acquire and Implement domain showed the highest maturity with 3.14, followed by the Deliver and Support domain with 2.98 and then by the Plan and Organize and Monitor and Evaluate domains with 2.85 for both of them.
On the processes level, Figure 4 depicts that the first three highest processes belong to the Deliver and Support domain and the lowest process is D10. Out of the lowest 10 processes, 5 belong to the Plan and Organize domain.
Effect of Moderating Variable
Table 5 illustrates summary statistics of group difference regarding the maturity of COBIT high- level processes based on the three moderating variables; bank type, familiarity of IT governance inside the bank, and the number of IT employees in the bank. While Kruskal-Wallis test showed no significant differences based on the number of IT employees, significant difference were shown in 7 processes based on bank type (using Kruskal-Wallis test), and significant difference were shown in 28 processes based on bank type (using Mann-Whitney test).
COBIT Domains’ Maturity: Comparison of Different Bank Types
Plan and Organize
This domain covers strategy and tactics as proper organisation and technological infrastructure should be put in place. This domain tackles management areas related to the alignment of IT and business strategy, quality, projects, risk assessment, and human resources.
In this study, Plan and Organize (PO) processes shown to be considerably high matured as for of them were repeatable and higher. Two processes (PO7 and PO 10) showed optimized
Table 3. Importance of COBIT high-level processes: Testing the moderating variables
| COBIT High-Level Processes | Bank Type (Kruskal Wallis Test) | Familiarity of IT Governance inside the bank (Mann-Whitney) | Number of IT Employees (Kruskal Wallis Test) | ||||
| x2 | p | W | P | x2 | P | ||
| Plan and organize | PO1 Define a Strategic IT Plan | 4.98 | 0.083 | 141.0 | 0.079 | 5.35 | 0.254 |
| 5.52 | 0.063 | 144.0 | 0.165 | 6.61 | 0.158 | ||
| PO3 Determine Technological Direction | 2.16 | 0.340 | 157.0 | 0.448 | 3.66 | 0.454 | |
| PO4 Define the IT Processes, Organisation and Relationships | 3.67 | 0.160 | 169.0 | 1.000 | 3.20 | 0.525 | |
| PO5 Manage the IT Investment | 0.19 | 0.911 | 142.5 | 0.108 | 3.45 | 0.485 | |
| PO6 Communicate Management Aims and Direction | 2.07 | 0.354 | 152.0 | 0.185 | 2.33 | 0.675 | |
| PO7 Manage IT Human Resources | 0.72 | 0.699 | 142.0 | 0.069 | 0.40 | 0.983 | |
| PO8 Manage Quality | 0.27 | 0.872 | 148.0 | 0.170 | 5.88 | 0.209 | |
| PO9 Assess and Manage IT Risks | 1.57 | 0.456 | 150.0 | 0.711 | 3.51 | 0.476 | |
| PO10 Manage Projects | 1.45 | 0.484 | 114.0 | 0.001 | 0.92 | 0.922 | |
| Acquire and Implement | AI1 Identify Automated Solutions | 2.72 | 0.257 | 157.0 | 0.380 | 2.12 | 0.714 |
| AI2 Acquire and Maintain Application Software | 1.38 | 0.501 | 144.5 | 0.325 | 3.64 | 0.456 | |
| AI3 Acquire and Maintain Technology Infrastructure | 1.38 | 0.501 | 144.5 | 0.325 | 4.24 | 0.375 | |
| AI4 Enable Operation and Use | 4.14 | 0.126 | 133.0 | 0.026 | 2.66 | 0.617 | |
| AI5 Procure IT Resources | 0.88 | 0.646 | 133.0 | 0.016 | 2.38 | 0.667 | |
| AI6 Manage Changes | 1.81 | 0.405 | 163.0 | 0.698 | 9.66 | 0.047 | |
| AI7 Install and Accredit Solutions and Changes | 1.05 | 0.591 | 139.0 | 0.061 | 1.99 | 0.738 | |
| Deliver and Support | DS1 Define and Manage Service Levels | 2.70 | 0.259 | 127.5 | 0.007 | 3.17 | 0.530 |
| DS2 Manage Third-party Services | 0.50 | 0.780 | 140.5 | 0.330 | 1.63 | 0.804 | |
| DS3 Manage Performance and Capacity | 2.54 | 0.281 | 150.5 | 0.595 | 3.70 | 0.449 | |
| DS4 Ensure Continuous Service | 2.19 | 0.335 | 146.0 | 0.122 | 2.60 | 0.626 | |
| DS5 Ensure Systems Security | 0.00 | 1.000 | 169.0 | 1.000 | 0.00 | 1.000 | |
| DS6 Identify and Allocate Costs | 3.82 | 0.148 | 144.0 | 0.128 | 5.57 | 0.234 | |
| DS7 Educate and Train Users | 0.91 | 0.635 | 142.0 | 0.063 | 0.64 | 0.958 | |
| DS8 Manage Service Desk and Incidents | 0.14 | 0.932 | 150.0 | 0.563 | 4.89 | 0.298 | |
| DS9 Manage the Configuration | 2.06 | 0.357 | 153.0 | 0.270 | 2.51 | 0.643 | |
| DS10 Manage Problems | 0.60 | 0.739 | 150.0 | 0.639 | 4.76 | 0.313 | |
| DS11 Manage Data | 1.27 | 0.529 | 163.5 | 0.595 | 3.55 | 0.471 | |
| DS12 Manage the Physical Environment | 3.90 | 0.142 | 163.0 | 0.717 | 6.70 | 0.152 | |
| DS13 Manage Operations | 7.60 | 0.022 | 163.5 | 0.668 | 4.29 | 0.368 | |
| Monitor and Evaluate | ME1 Monitor and Evaluate IT Performance | 0.19 | 0.910 | 152.5 | 0.316 | 4.96 | 0.291 |
| ME2 Monitor and Evaluate Internal Control | 0.10 | 0.950 | 154.5 | 0.329 | 2.60 | 0.626 | |
| ME3 Ensure Compliance With External Requirements | 0.84 | 0.657 | 153.0 | 0.312 | 6.53 | 0.163 | |
| ME4 Provide IT Governance | 0.14 | 0.932 | 151.5 | 0.092 | 0.54 | 0.969 | |
Table 4. Maturity of COBIT high-level processes in Egyptian banks: Summary statistics
| COBIT High Level Process Name | Maturity | ||||||||||||
| Nonexistent | Initial/ Ad Hoc | Repeatable | Defined | Managed | Optimized | ||||||||
| No. | % | No. | % | No. | % | No. | % | No. | % | No. | % | ||
| Plan and Organize | PO1 Define a Strategic IT Plan | 0 | 0 | 0 | 0 | 2 | 8 | 3 | 12 | 20 | 80 | 0 | 0 |
| PO2 Define the Information Architecture | 0 | 0 | 2 | 8 | 2 | 8 | 18 | 72 | 3 | 12 | 0 | 0 | |
| PO3 Determine Technological Direction | 0 | 0 | 0 | 0 | 4 | 16 | 12 | 48 | 9 | 36 | 0 | 0 | |
| PO4 Define the IT Processes, Organisation and Relationships | 0 | 0 | 0 | 0 | 4 | 16 | 19 | 76 | 2 | 8 | 0 | 0 | |
| PO5 Manage the IT Investment | 0 | 0 | 3 | 12 | 11 | 44 | 5 | 20 | 6 | 24 | 0 | 0 | |
| PO6 Communicate Management Aims and Direction | 0 | 0 | 2 | 8 | 16 | 64 | 7 | 28 | 0 | 0 | 0 | 0 | |
| PO7 Manage IT Human Resources | 0 | 0 | 5 | 20 | 8 | 32 | 10 | 40 | 0 | 0 | 2 | 8 | |
| PO8 Manage Quality | 0 | 0 | 9 | 36 | 2 | 8 | 8 | 32 | 5 | 20 | 1 | 4 | |
| PO9 Assess and Manage IT Risks | 0 | 0 | 0 | 0 | 11 | 44 | 6 | 24 | 8 | 32 | 0 | 0 | |
| PO10 Manage Projects | 0 | 0 | 2 | 8 | 2 | 8 | 11 | 44 | 8 | 32 | 2 | 8 | |
| Acquire and Implement | AI1 Identify Automated Solutions | 0 | 0 | 5 | 20 | 11 | 44 | 7 | 28 | 2 | 8 | 0 | 0 |
| AI2 Acquire and Maintain Application Software | 0 | 0 | 1 | 4 | 5 | 20 | 14 | 56 | 5 | 20 | 0 | 0 | |
| AI3 Acquire and Maintain Technology Infrastructure | 0 | 0 | 0 | 0 | 5 | 20 | 5 | 20 | 15 | 60 | 0 | 0 | |
| AI4 Enable Operation and Use | 0 | 0 | 0 | 0 | 2 | 8 | 9 | 36 | 12 | 48 | 2 | 8 | |
| AI5 Procure IT Resources | 0 | 0 | 0 | 0 | 2 | 8 | 13 | 52 | 8 | 32 | 2 | 8 | |
| AI6 Manage Changes | 0 | 0 | 3 | 12 | 8 | 32 | 10 | 40 | 3 | 12 | 1 | 4 | |
| AI7 Install and Accredit Solutions and Changes | 0 | 0 | 0 | 0 | 0 | 0 | 5 | 20 | 20 | 80 | 0 | 0 | |
| Deliver and Support | DS1 Define and Manage Service Levels | 0 | 0 | 11 | 44 | 9 | 36 | 5 | 20 | 0 | 0 | 0 | 0 |
| DS2 Manage Third-party Services | 0 | 0 | 0 | 0 | 0 | 0 | 4 | 16 | 13 | 52 | 8 | 32 | |
| DS3 Manage Performance and Capacity | 0 | 0 | 1 | 4 | 9 | 36 | bgcolor=white>520 | 10 | 40 | 0 | 0 | ||
| DS4 Ensure Continuous Service | 0 | 0 | 1 | 4 | 0 | 0 | 12 | 48 | 11 | 44 | 1 | 4 | |
| DS5 Ensure Systems Security | 0 | 0 | 0 | 0 | 0 | 0 | 5 | 20 | 18 | 72 | 2 | 8 | |
| DS6 Identify and Allocate Costs | 5 | 20 | 14 | 56 | 1 | 4 | 5 | 20 | 0 | 0 | 0 | 0 | |
| DS7 Educate and Train Users | 0 | 0 | 3 | 12 | 7 | 28 | 12 | 48 | 3 | 12 | 0 | 0 | |
| DS8 Manage Service Desk and Incidents | 1 | 4 | 2 | 8 | 5 | 20 | 6 | 24 | 11 | 44 | 0 | 0 | |
| DS9 Manage the Configuration | 0 | 0 | 2 | 8 | 6 | 24 | 9 | 36 | 8 | 32 | 0 | 0 | |
| DS10 Manage Problems | 0 | 0 | 6 | 24 | 9 | 36 | 8 | 32 | 2 | 8 | 0 | 0 | |
| DS11 Manage Data | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 8 | 21 | 84 | 2 | 8 | |
| DS12 Manage the Physical Environment | 0 | 0 | 0 | 0 | 4 | 16 | 5 | 20 | 16 | 64 | 0 | 0 | |
| DS13 Manage Operations | 0 | 0 | 0 | 0 | 4 | 16 | 14 | 56 | 7 | 28 | 0 | 0 | |
| Monitor and Evaluate | ME1 Monitor and Evaluate IT Performance | 0 | 0 | 4 | 16 | 9 | 36 | 9 | 36 | 1 | 4 | 2 | 8 |
| ME2 Monitor and Evaluate Internal Control | 0 | 0 | 0 | 0 | 2 | 8 | 8 | 32 | 15 | 60 | 0 | 0 | |
| ME3 Ensure Compliance With External Requirements | 0 | 0 | 0 | 0 | 1 | 4 | 7 | 28 | 17 | 68 | 0 | 0 | |
| ME4 Provide IT Governance | 2 | 8 | 12 | 48 | 4 | 16 | 5 | 20 | 2 | 8 | 0 | 0 | |
Figure 3. Maturity of COBIT high-level processes in Egyptian banks: Means
Figure 4. Maturity of COBIT high-level processes in Egyptian banks: Ranked means
Table 5. Maturity of COBIT high-level processes: Testing the moderating variables
| COBIT High Level Process Name | Bank Type (Kruskal Wallis Test) | Familiarity of IT Governance inside the bank (Mann- Whitney) | Number of IT Employees (Kruskal Wallis Test) | ||||
| X2 | p | W | p | X2 | p | ||
| Plan and organize | PO1 Define a Strategic IT Plan | 5.182 | 0.075 | 150.5 | 0.149 | 4.239 | 0.375 |
| PO2 Define the Information Architecture | 1.891 | 0.388 | 153.5 | 0.286 | 2.340 | 0.673 | |
| PO3 Determine Technological Direction | 2.450 | 0.294 | 123 | 0.006 | 2.190 | 0.701 | |
| PO4 Define the IT Processes, Organisation and Relationships | 2.605 | 0.272 | 136 | 0.016 | 3.879 | 0.423 | |
| PO5 Manage the IT Investment | 1.198 | 0.549 | 125.5 | 0.012 | 1.809 | 0.771 | |
| PO6 Communicate Management Aims and Direction | 6.296 | 0.043 | 139 | 0.054 | 1.306 | 0.860 | |
| PO7 Manage IT Human Resources | 1.252 | 0.535 | 118 | 0.003 | 1.063 | 0.900 | |
| 4.070 | 0.131 | 129.5 | 0.025 | 3.599 | 0.463 | ||
| PO9 Assess and Manage IT Risks | 7.307 | 0.026 | 119 | 0.004 | 2.480 | 0.648 | |
| PO10 Manage Projects | 6.185 | 0.045 | 125.5 | 0.012 | 1.639 | 0.802 | |
| Acquire and Implement | AI1 Identify Automated Solutions | 5.788 | 0.055 | 124.5 | 0.010 | 3.744 | 0.442 |
| AI2 Acquire and Maintain Application Software | 2.315 | 0.314 | 115.5 | 0.001 | 1.757 | 0.780 | |
| AI3 Acquire and Maintain Technology Infrastructure | 3.433 | 0.180 | 124 | 0.005 | 4.000 | 0.406 | |
| AI4 Enable Operation and Use | 3.531 | 0.171 | 132.5 | 0.031 | 1.046 | 0.903 | |
| AI5 Procure IT Resources | 1.162 | 0.559 | 112.5 | 0.001 | 2.635 | 0.621 | |
| AI6 Manage Changes | 4.089 | 0.129 | 129 | 0.022 | 3.070 | 0.546 | |
| AI7 Install and Accredit Solutions and Changes | 2.333 | 0.311 | 139 | 0.019 | 4.600 | 0.331 | |
| Deliver and Support | DS1 Define and Manage Service Levels | 10.389 | 0.006 | 135 | 0.046 | 6.426 | 0.169 |
| DS2 Manage Third-party Services | 5.868 | 0.053 | 119.5 | 0.003 | 3.239 | 0.519 | |
| DS3 Manage Performance and Capacity | 3.263 | 0.196 | 109 | 0.001 | 6.475 | 0.166 | |
| DS4 Ensure Continuous Service | 7.470 | 0.024 | 132 | 0.025 | 2.351 | 0.671 | |
| DS5 Ensure Systems Security | 2.805 | 0.246 | 131 | 0.009 | 3.669 | 0.453 | |
| DS6 Identify and Allocate Costs | 9.580 | 0.008 | 125.5 | 0.009 | 4.717 | 0.318 | |
| DS7 Educate and Train Users | 3.072 | 0.215 | 121.5 | 0.005 | 3.892 | 0.421 | |
| DS8 Manage Service Desk and Incidents | 3.702 | 0.157 | 124.5 | 0.010 | 5.822 | 0.213 | |
| DS9 Manage the Configuration | 5.102 | 0.078 | 137 | 0.068 | 2.337 | 0.674 | |
| DS10 Manage Problems | 6.468 | 0.039 | 127.5 | 0.018 | 5.944 | 0.203 | |
| DS11 Manage Data | 1.833 | 0.400 | 157.5 | 0.327 | 3.000 | 0.558 | |
| DS12 Manage the Physical Environment | 1.756 | 0.416 | 140.5 | 0.069 | 4.391 | 0.356 | |
| DS13 Manage Operations | 2.778 | 0.249 | 133 | 0.029 | 5.940 | 0.204 | |
| Monitor and Evaluate | ME1 Monitor and Evaluate IT Performance | 5.032 | 0.081 | 122 | 0.007 | 4.480 | 0.345 |
| ME2 Monitor and Evaluate Internal Control | 5.968 | 0.051 | 120.5 | 0.002 | 4.037 | 0.401 | |
| ME3 Ensure Compliance With External Requirements | 1.802 | 0.406 | 133 | 0.016 | 3.400 | 0.493 | |
| ME4 Provide IT Governance | 4.420 | 0.110 | 104.5 | 0.000 | 1.061 | 0.900 | |
Figure 5. COBIT domains: Plan and organize processes
maturity in two banks. On the average, as shown in Figure 5, all PO processes showed almost the same maturity levels in different bank types with exception to PO8, PO9, and PO10 that showed increase maturity in foreign banks compared to public and private banks.
Defining a strategic IT plan (PO 1) was a process that showed high maturity as 80% of banks were in the “Managed” level. This can be reasoned to that fact that this process is highly monitored by the bank board of directors and also by the managerial business levels in the bank, it is the most important link between IT and business from CIO and IT managers perspective, its importance also came from the fact that it the initial stone in planning for future business needs.
PO3 process is more matured in foreign banks compared to private and public mainly because of the existence of IT architecture board, who is responsible for providing architecture guidelines and technology directions for the bank, and the existence of technology infrastructure plan that includes directions for acquisition of technology infrastructure and responsiveness for changes in the competitive environment, in the studied public sector banks, this process was more of the time (66.67%) in the “Defined” level, because of the absence of technology direction in the public sector bank, also the IT department responds very slowly to competitive changes in the environment after taking many procedures and precautions to minimize the investments and the risks, another thing is that there is no preferred technology direction for the public sector bank in general, most of the time these banks are adapting the same successful technology direction in private and foreign banks.
Foreign banks showed more maturity for PO4 compared to private and public sector banks because of the existence of the IT process framework that ensures transparency and control as well as involvement of senior executives and business management, also foreign banks showed that processes, procedures and administrative policies are in place for all functions and especially for control, quality assurance, risk management functions. In addition to this all job descriptions for IT staff are clearly defined and stated, as well as supervision and segregation of duties. Private and public sector banks do have the same process but in less maturity level due the absence of most of the controls for that process.
Managing quality (PO10) process is highly matured in foreign banks compared with public sector and private banks because of the existence of Quality Management System (QMS) and quality assurance department in foreign banks responsible for ensuring IT is delivering the expected value to business stakeholders without any deviations. In public sector bank, the QMS is still under development and construction
The case was the same for managing project (PO10) that is highly matured in foreign banks compared with public sector and private banks because of the existence of a project management framework that ensures the correct prioritisation and coordination of all projects. All sampled foreign banks have now a project management unit for all IT projects or at least project management function.
Finally, the critical process of assessing and managing IT risks (PO9) is also highly matured in foreign banks compared with public sector and private banks because of the existence of a risk management framework, which is responsible about identifying and mitigating IT risks, many foreign banks have risk management function which is responsible about ensuring the proper working of this process.
Acquire and Implement
Realizing the IT strategy requires potential IT solutions to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition to these processes, this domain covers areas related to the maintenance of existing systems, management of systems’ changes, procurement, operation and use of new and current systems, and verification of installed solutions.
Comparing the maturity of this domain process in the three bank types in Egypt, Figure 6 indicates an even maturity in the range of (4) of almost all process. Unlike the PO domain, public banks outperformed foreign ones in two processes AI 1 and AI2. Foreign banks, however, showed better performance on the following four processes.
Acquire and maintain technology and infrastructure (AI3) is highly matured in foreign banks compared to public sector and private banks because of the existence of processes for acquisition, implementation and upgrade of technology infrastructure. The same
Figure 6. COBIT domains: Acquire and implement processes
Enable operations and use (AI4) is also highly matured in foreign banks compared to public sector and private banks because of the existence of processes that produces documentation and manuals for users and IT, and provides training for IT and end users.
Deliver and Support
This domain is concerned with the delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It management issues related to alignment of delivered It services with business priorities, cost optimization, users’ capacity, and security.
Results of this study showed that public banks had higher maturity than foreign banks in four processes (DS2, DS8, DS12, DS 13) while their maturity in the rest of processes was lower than those of the foreign banks.
Despite the fact that define and manage service level (DS1) is an important process from the IT governance perspective as it links business with IT, this study showed very low maturity level for the examined banks sample, the result was even worse in public and private banks, till now there is no formalized process in these banks which is responsible about measuring service level agreements between business and IT.
With respect to another critical process (DS5), all examined bank in this research showed very high attention to this process importance, all respondent banks reported that they consider this process is the most important IT governance process for their bank, but also because of the criticality of this process, a lot of focus and auditing already exist for this process and that’s why this process is at “Managed” maturity level most of the time.
On cost optimization (DS6), foreign banks showed high maturity level compared to private and public sector banks, this is due the existence of operating a system which captures, allocates and reports IT costs to the users of services (see Figure 7).
Figure 7. COBIT domains: Deliver and support processes
Monitor and Evaluate
To guarantee continuous improvement and an effective IT governance practice, all IT processes need to be assessed on regular basis for performance and compliance with control requirements. This domain covers management issues related to performance management, monitoring of internal control, regulatory compliance and governance.
For processes in this domain, foreign banks showed a considerable higher maturity than public banks with respect ME 1 and ME4. Despite the fact that performance is required to be evaluate by law, public banks concentrates mainly on workforce performance and do not cover other functional areas such as IT performance (see Figure 8).
Most of the examined banks showed low maturity level for the provide IT governance (ME4) process, especially private and public sector banks, most of the interviewed CIOs and IT managers from the examined banks especially who reported that their organisations are not familiar with IT governance, see the value of IT governance in implementing some individual COBIT processes and not in the whole entire framework. Also from the interviewed with those CIOs they stated that implementing the IT framework in Egyptian banks will need some supervision and support from the Central Bank of Egypt (CBE).
CONCLUSION
The purpose of this research was to assess the implementation of the Control Objectives for Information and Related Technology (COBIT) domain and high-level processes in Egyptian banking sector, the results of this research will enable Egyptian banks to better understand, evaluate, implement and manage information technology governance for their businesses success. The research provides useful information for executive managers, IT managers, accountants, auditors, and academics to understand the implementation performance of the COBIT processes in Egyptian banks.
Motivation and, thus, importance of this study stems from three sources:
Figure 8. COBIT domains: Monitor and evaluate processes
1. The banking sector is one of the largest sectors in Egypt in terms of contributing to Egypt GDP and in using information technology to support banking business process and requirements (Egypt State Information Service, 2009), this is why implementing a good IT governance framework is needed to align business requirements and information technology in banking sector.
2. Central bank of Egypt is preparing banks for introducing the Basel II regulations. CBE Banking Institute arranged seminars for Egyptian bankers in preparation for Basel II requirements. CBE also informed banks to start building their own internal rating systems in preparation for Basel II (Egyptian Banking Sector Reform Policy: Areas of Future Actions, 2003). This continuous focus from CBE on Basel II implementation will pave the way for implementing the IT governance regulations inside the Egyptian banks, and one of these regulations that will take place is COBIT because of the existing relations between Basel II and COBIT.
3. There was no similar published research work on the practice of IT governance in the Egyptian banking sector or in other developing countries like Egypt.
Presented results answered the four intended objectives of the research:
1. Assessment of how the importance of COBIT high-level processes are perceived.
2. Measuring the extent to which these processes are performed.
3. Examining whether any significant differences among respondent groups regarding their perception of the importance of COBIT high-level processes.
4. Examining whether any significant differences among respondent groups regarding the implementation of these processes.
In general, the study revealed that despite IT governance (COBIT high-level) processes are perceived as important an critical, the practice of these processes - defined in terms of maturity levels - is still in adequate for sector requirements.
Performance of foreign banks operating in Egypt, however, showed better performance compared to public banks on the majority of processes.
On the local level, this study recommends for actions to be taken in order to enhance IT governance practice in the Egyptian banking sector:
1. CBE should sponsor an IT governance awareness program through Federation of Egyptian Banks to raise the awareness and understating of the IT governance concepts and approaches inside the Egyptian banks especially for the management levels.
2. CBE should launch a program to start implementing the IT governance frameworks and standards inside the Egyptian banks with clear roadmap and deadlines.
3. CBE should train internal IT auditors as well as external auditors on different IT governance concepts and standards to start monitoring the IT governance performance inside the Egyptian banks.
4. IT Managers can start implementing COBIT high level processes starting from the most important processes from their organisations perspective and ending with the least.
Finally, future work would include doing the same study in other IT-intensive sectors in Egypt such as Telecommunication and Insurance.
REFERENCES
Abu-Musa, A. A. (2008). Exploring information technology governance (ITG) in developing countries: An empirical study. The International Journal of Digital Accounting Research, 9, 99-126.
Bowen, P. L., Cheung, M. D., & Rohde, F. H. (2007). Enhancing IT governance practices: A model and case study of an organization’s efforts. International Journal of Accounting Information Systems, 8(3), 191-221.
Brown, W. (2006). IT governance, architectural competency, and the Vasa. Emerald Group Publishing Limited.
Cadbury, A. (1992). The financial aspects of corporate governance. London, UK: Gee.
Central Bank of Egypt. (2003). Egyptian banking sector reform policy: Areas of future actions. Retrieved September 4, 2010, from http://www. cbe.org.eg/public/Egyptian%20banking%20re- form%20policy_WB.doc
Dellit, C. (2002). Governance and the emerging salience of technology. Software, October, 19-24
Egypt State Information Service. (2009). The banking sector in Egypt. Retrieved August 30, 2010, from http://www.sis.gov.eg/En/Economy/ banking/bankingsector/050401000000000001. htm
El-Morshedy, R. M. (2008). Technology transfer of information systems auditing and control standards. Unpublished thesis, Cairo University, Faculty of Computers & Information, Information Systems Department.
Gray, H. (2004). Is there a relationship between IT governance and corporate governance? Unpublished Master’s thesis, UK.
Guldentops, E. (2002). Knowing the environment: top five IT issues. Information Systems Control Journal, 4, 15-16.
Hadden, L. B. (2002). An investigation of the audit committee and its role in monitoring information technology risks. D.B.A., Nova Southeastern University, AAT 3074875.
Hamaker, S. (2003). Spotlight on governance. Information Systems Control Journal, 1, 15-19.
IT Governance Institute (ITGI). (2000). Board briefing on IT governance. Retrieved from www. itgi.org
Luthy, D., & Forcht, K. (2006). Laws and regulations affecting information management and frameworks for assessing compliance. Information Management & Computer Security, 14(2), 155-166.
Pathak, J. (2005). Information technology auditing. Berlin, Germany: Springer.
Pulkkinen, M., & Hirvonen, A. P. (2005). Organizational processes in ICT management and evaluation. Experiences with large organizations. In D. Remenyi (Ed.), Proceedings 12th European Conference on Information Technology Evaluation, Turku, Finland, 29-30 September 2005, Trinity College Dublin, Ireland. ISBN: 1-905305-08-7
Ridley, G., Young, J., & Carol, P. (2004). COBIT and its utilization: A framework from the literature. Proceedings of the 37th Hawaii International Conference on System Sciences - 2004. New York, NY: IEEE.
Sarvanan, D., & Kohli, R. (2000). The ITpayoff: Measuring the business value of information technology investment. New Jersey: Prentice Hall.
Sohal, A. S., & Fitzpatrick, P. (2002). IT governance and management in large Australian organizations. International Journal of Production Economics, 75(1/2), 97-112.
Son, S., Weitzel, T., & Laurent, F. (2005). Designing a process-oriented framework for IT performance management systems. The Electronic Journal Information Systems Evaluation, 8(3), 219-228.
Tuttle, B., & Vandervelde, S. D. (2007). An empirical examination of COBIT as an internal control framework for information technology. International Journal of Accounting Information Systems, S(4), 240-263.
Weill, P., & Ross, J. W. (2004). IT governance: How top performers manage IT decision rights for superior results. Boston, MA: Harvard Business School Press.
Williams, P. (2006, September 19). A helping hand with IT governance. Computer Weekly, p. 26. Retrieved September 3, 2010, from http://www.com- puterweekly.com/Articles/2006/09/19/218517/a- helping-hand-with-it-governance.htm
KEY TERMS AND DEFINITIONS
Basel II: Basel II is the second of the Basel Committee on Bank Supervision’s recommendations. It is a set of banking regulations put forth by the Basel Committee on Bank Supervision, which regulates finance and banking internationally.
Chief Information Officer: A job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals.
Control Objectives for Information and Related Technology (COBIT): A set of best practices (framework) for information (IT) management created initially in 1992 by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). COBIT is an IT governance control framework that helps organizations meet today’s business challenges in the areas of regulatory compliance, risk management and aligning IT strategy with organizational goals.
Information Technology Governance: The capability of organization’s senior management to direct, measure and evaluate the use of IT resources to support the achievement of the organization’s strategic goals.
Information Technology Maturity: A method of evaluating the organisation, so it can be rated from a maturity level of non-existent (0) to optimised (5). This provides the base for improvement and reaching the appropriate level of management and control over the information infrastructure.
This work was previously published in IT Security Governance Innovations, edited by Daniel Mellado, Luis Enrique Sanchez, Eduardo Fernandez-Medina, and Mario G. Piattini, pages 111-130, copyright 2013 by Information Science Reference (an imprint of IGI Global).