A Critical Analysis of IS Governance Frameworks: A Metamodel of the Integrated Use of CobiT Framework

Information Systems Governance (ISG) is an essential component of corporate governance. It refers to the implementation of the means of decision-making. A considerable number of studies on information systems governance (ISG) have been published. Nevertheless, there is a need to conceptualize and model this theoretical context. The aim of this paper is to provide a study of frameworks that integrates this domain as well as to bring a modeling of the concepts that structure the framework of this domain and a profound and clear understanding of the IS process, IS governance has been studied as a concept. The results demonstrated that the adoption of the COBIT repository in the organization could amplify its efforts. This input therefore enables the organization to capitalize on and build up knowledge in the field of IS governance, and to propose models for delivering an integrated, business-aligned IS. Keywords—Information Systems Governance (ISG); IS process; business process; COBIT


I. INTRODUCTION
This paper focuses on the area of information systems governance. It corresponds to the implementation of the ways and means by which stakeholders can ensure that their concerns are taken into account in the operation of the information system (IS).
According to [1] IS management thus aims to define the objectives assigned to the information system and to plan, define and implement the processes related to IS lifecycle management.
These activities are based on the control and measurement of the performance of these processes with respect to the objectives underlying the use of the IS [1]. The object of IS governance is therefore the Information System [2]. The mission of an IS is to make the main activities of the organization generate more added value. It takes advantage of computer technologies (memorization, communication, calculation, transformation, and presentation) to establish a network of coordination between the organization's activities as well as a network of cooperation between the organization's actors.
In this paper, authors address a twofold question in order to answer, on the one hand, the choice of good practice frameworks for IS governance, and on the other hand, the research gaps in the formalization and conceptualization of the IS object that is the IS process.
This work presented as follows. In the first section, authors briefly present a repository of good IS governance practices. In the second section, authors present the proposed model for the conceptualization of ISG, by explaining the concept of ISG, clarifying the perimeters of ISG and modeling the ISG process. In the third section, authors defined the place of COBIT in the ISG, and then they proposed a model for the conceptualization of COBIT. Finally, Discussion of this work to sum up with a conclusion.

A. Benchmarks of Good Practices of ISG
According to [4], Standards and benchmarks of good practices in ISG is relatively little studied in the academic literature. However, the last few years have been marked by an increase in the number of these good practices, each coming from a professional community with its own issues and its own culture. The professional literature offers all kinds of books, catalogues and guides with comments on the use and fields of application of good practices [5], [6], [7], [8]. The reading of these documents shows a context rich in knowledge about the content and orientations of these standards.
According to [9], the notions of "standard" and "benchmark of good practice" are only two sides of the same coin. Their common denominator lies in their willingness to serve as a model or reference system recognized by a competent body and disseminated to a wide public. The authors retain the following characteristics relating to these two concepts in the table (Table I) [9]:

B. Existing Standards and Benchmarks
Existing standards and benchmarks, considered as operational solutions, can be summarized from the following list, and depending on their use, can be divided into several domains in the table below (Table II): SPICE (Software Process Improvement and Capability determination). Standard for software process evaluation, synthesis of software process evaluation and improvement approaches. Essentially, it includes an implementation guide for the evaluation of software development projects [3].
 Information System Management: ITIL (Information Technology Infrastructure Library) offers a structured library of best practices for a better management of the Information System [3].
Norme BS 15000: Guide to good practice for supply and service management. It is associated, for its implementation, with ITIL recommendations [3].
 Management and organization of the Information System: COBIT (Common Objectives for Business Information Technology).This method was developed by ISACA (Information Systems Audit and Control Association) about ten years ago [3].
 Project Management: PRINCE 2: Projects IN Controlled Environments is a structured project management and certification method that focuses on three points: project organization, management and control [3].
PMBOK: Project Management Body of Knowledge. It is the reference document for project management. It describes knowledge and methods applicable to the majority of projects, whether IT or not, on which there is a consensus on their value and usefulness [3].

PPM:
Project & Portfolio Management. Management of projects so that they can be considered as portfolios. A strategy allows organizations to align their IT application development projects and resources with business objectives by putting in place indicators to monitor these projects [3].

 Information System Security:
ISO 27001: This standard allows companies to validate the security practices they adopt for their Information System [3].
ISO 15408/16949: IT security management, common criteria. They define the procedures and standard technical measures to be considered in the life cycle of a software product [3].
 Company management and quality: COSO (Committee Of Sponsoring Organizations): is to manage business risks [3].
ISO 20000 and organization certification: this standard defines the needs of service management within the framework of the Information System. It defines the main processes for the efficient provision of these services [3].
ISO 9001: quality assurance model used for the certification of quality management systems [3].

ISO 10006:
This standard provides guidance on the application of quality management to projects as part of project management processes [3].
eSCM (e-Sourcing Capability Model): it is a repository presenting good practices in the client/provider relationship in the context of outsourcing services [3].

C. Objectives of these Methods
These main references are complementary Associated; they bring value to the processes of the Information System and a fortiori to the whole organization, based on four main objectives [3]: 1) The implementation of good practices in the management of the services provided by the Information System.
2) The establishment of a development strategy for these processes including indicators related to budgets and projects.
3) The guarantee of a good organization (management, supervision) of the assets (hardware, software) and technologies implemented.
4) The alignment of the Information System with the strategy of the company on its core business, the requirements of regulations related to professional particularities.

D. COBIT
The COBIT model (Control Objectives for Information and related Technology) presented as a model for governance and control in information technology [3]. www.ijacsa.thesai.org Created by ITGI (IS governance Institute) and ISACA (Information Systems Audit and Control Association), COBIT has been adopted by many international companies. However, because of its concept, it is preferably implemented in large companies [3].
Indeed, it is mainly aimed at managers and auditors who may be involved in providing a methodology for [3]: 1) Corporate management. This framework helps them to control investments in order to better manage risks and meet their obligations to investors and shareholders.
2) The IT managers in charge of managing the Information System and the services provided.
3) The auditors, as they can make recommendations to management on the internal control of Information Systems.
The fact that this standard is intended for large companies does not prevent the implementation of processes adapted for small companies.
The methodology presented may contain improvement ideas for the governance of their Information System. CobiT is a set of recommendations and processes for evaluating IS resources. It is intended to guide practitioners in the implementation of internal controls.
CobiT was developed in 1994 (and published in 1996) by ISACA (Information Systems Audit and Control Association). ISACA has been represented in France since 1982 by AFAI (Association Française de l "Audit et du Conseil Informatiques).
CobiT is a control framework that aims to help management to manage risks (security, reliability, compliance) and investments [1].

III. PROPOSED METAMODEL OF ISG
As noted earlier, information systems governance (ISG) is a goal-driven project management activity that is driven by the execution of a process. This observation allows us to consider a representation of ISG as a whole made up of a product, describing the system of concepts that underlies ISG, and a process that aims to change the context of ISG [1].
In addition, any system can be directed and controlled provided that it can define (i) the devices for measuring whether the objectives assigned to it are being achieved and, if not, (ii) the levers (variables) of action for correcting deviations [1].
Governance is therefore first, and foremost a matter of making decisions in the face of uncertainty. The mediation of decisions to be taken and the resulting actions is mediated by a decision-maker driven by the desire to move towards the target assigned to the project or project portfolio [1].
In this section, authors will present a conceptual model of GSI, the objective of which is to describe the conceptual system underlying GSI. This work is done to overcome the inadequacy in the conceptualization of IS management and to build an IS of governance. Proposed model is based on observation and analysis of the literature.

A. ISG Concept
IS Governance can be reduced to a simple approach based on good practices inspired by standards and reference frameworks. However, it is leads to ambiguity, misunderstanding regarding the notion of IS Governance and the respective roles of management on the one hand, and service governance on the other.
In order to understand the place of IS Best Practice Standards and Reference Frameworks in IS Governance processes, authors believe it is necessary to clarify the meaning and scope of IS Governance. This will allow them to understand a posteriori the actual role of the IS Best Practice Standards and Reference Frameworks, in relation to IS management and IS governance.
According to [9], [10], [11] and [12], the concept of IS governance often referred to as IS governance in specialized language, is a relatively new concept, emerging from several disciplines, including the social and information sciences.
According to [23], there are several definitions of the concept of IS governance on the web. In order to understand the exact meaning of the concept of IS governance; the author proposes to return to the notion of corporate governance, often referred to "corporate governance". According to CIGREF (2002), the transposition of IS governance from corporate governance presupposes a good understanding of the principle of separation between "owners" and "managers". The implementation of this principle at the IS level presupposes the existence of a control body independent of the ISD, responsible for reducing the gaps between the decisions taken by those in charge of the IS (managers) and the interests of the owners (business and functional departments) [24].
Following the example of these excerpts, it is worth noting that IS governance, as a subset of the principles transposed from corporate governance, aims to strengthen the overall consistency of IS decisions with the interests of stakeholders.
There is a considerable gap between actual IS governance practices in companies and theoretical approaches, according to [12] and [14]. This is mainly due to the common confusion in the professional community between the respective roles of management and governance (inferred in [23]).

B. Perimeters of IT Service
IS Governance stems "from initiatives for strategic alignment with the expectations of managers and the business processes from which the principles of business governance result", according to [25]. This should not be confused with two closely related sub-domains, namely, IS Governance and infrastructure governance.
To clarify the scope of IS Governance, and according to ITGI [26], "IS governance is the responsibility of the board of directors and executive management. It is an integral part of (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 9, 2020 206 | P a g e www.ijacsa.thesai.org enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives" [26]. Consequently, the IS Governance body as a supervisory body exogenous to the IS function must define under the responsibility of the supervisory bodies.
The framework and processes that support the company's strategy while respecting the objectives of corporate governance [27].
All this analysis by the authors cited above leads us to conclude that ISG is based on the implementation and management of a set of processes that are modelled on the objectives of corporate governance. Normally, these processes are intended to support the objectives relating to the following areas: This study pushes us towards the conceptualization of a model, which models ISG as a concept (Fig. 1):

C. ISG Process
IS governance is based on a set of processes that make it possible to control that the objectives assigned to the IS are properly considered and to react if necessary. [21] Proposes to consider the IS processes that are essential for IS management around a control process (reporting) and an action process for decision-making. It is in line with the idea developed earlier in [28], which recommends six steps for aligning business and IT. They mainly concern identification of objectives, understanding of alignment links, analysis (in-fine, measurement and control) and prioritization of gaps, specification and choice of actions to be taken.
The IS processes that the authors consider are thus linked to the achievement of IS quality by a control mechanism based on the generic Deming approach of the PDCA (Plan, Do, Check, Act) [28].
The PROCESS SI facet allows this aspect to be represented. The values associated with this facet measure the degree of control of these processes based on the principle that an IT PROCESS is at least documented. The identification of metrics, indicators and control rules allows decision making on the audit process: the process is then steered. An evaluative process is a process under control whose evolution has been considered and which is representative of mature governance. Do not confuse IS processes with business processes; IS processes are essential for IS management around a control process (reporting) and an action process for decision-making [28]. Thus, the IS PROCESSES that are essential within the framework of good governance are those dedicated to audit, control and reporting according to [29].
While the business process is defined in [30] as "a structured and measured framework of activities designed to produce a specific output for a customer or market. This implies focusing on how work is done within an organization, rather than focusing on the product.
A process is therefore a precise order of activities across time and space, with a beginning and an end, clearly defined inputs and outputs: a structure of action." [30].
The typologies of business processes are defined in several ways in the previous works; authors will clarify typologies of business processes by quoting: RUMMLER's article [31]: According to his approach, he distinguishes primary processes, which are in direct contact with the customer and directly generate value, from supporting processes. The support processes are invisible from the customer's point of view and are functional: they concern accounting, recruitment or technical support. The primary processes concern activities and operations dedicated to procurement, production and sales.
ALONSO's article [32]: His approach is based on the nature of the business process. It distinguishes four types of processes:  Productive: The process is repeatable and implements the primary processes of the company.
 Administrative: The process is bureaucratic and is governed by clearly established rules.
 Collaborative: The process is characterized by important interactions between actors. This is the case, for example, with steering committee processes.
 Ad-hoc: The process is defined on the fly during its execution. It is a process that is not planned, it is often linked to exceptions. www.ijacsa.thesai.org Authors's study leads us to conceive the IS governance process across the domains or in other words the perimeters of IS management, from which the objectives of value creation derive from the strategic alignment of the IS with the business while risk management derives from the control and accountability policies in the company. The whole is supported by resources, and managed with the aim of achieving the desired performance.
This conclusion gives rise to the following Metamodel (Fig. 2).

IV. COBIT AT CORE OF ISG
Performance is at the heart of ISG concerns. It is the result of mastering the maturity of business and IT processes. Also the application of methods oriented by process maturity such as COBIT [34], [33].
Authors' thesis topic is about the COBIT repository, so after this study, researchers of this paper will focus on COBIT. In fact, authors's paper don't underestimate the value of the other standards. However, I take COBIT because it indicates the main lines to follow, the main axes to have a good ISG. For example, for the "Plan and organize" axis, COBIT tells you that you need to define a strategic IT plan aligned with the company's strategy, then for "acquire and implement" that you need to put in place solutions, infrastructure and processes that are consistent with this plan. Then that you need to define service levels, ensure a level of security to manage risks, train employees, etc. and finally that you need to ensure effective control of IT processes to guarantee a level of reliability, security, compliance and confidentiality. All this is based on strategic alignment: aligning this entire cycle with the company's objectives.

A. COBIT Proposed Metamodel
The CobiT repository is structured by components on which a conceptualization process will be applied. In this part, researcher's paper describe these components and propose a conceptual model to show the concepts of CobiT.
CobiT refers to four Generic Process Areas. Each contains the processes audited by the CobiT approach and refers to a stage of the governance cycle: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
In total, CobiT includes 34 processes (COBIT Process) that meet five IS governance requirements (Domain of ISG).
A process is audited according to information criteria (Information Criterion) against a set of control objectives (Control Objective). It is analyzed according to its level of maturity, which is representative of its effectiveness and efficiency.
According to CobiT a process uses resources in terms of skills, information, applications and infrastructure (IT Resource), and requires input and output information elements (Element, Input, Output).
A process organizes Activities during which actors intervene in accordance with their functions and responsibilities (Role). CobiT proposes a RACI grid (Responsible, Accountable, Consulted, and Informed) which allows visualizing the responsibilities of each person in relation to the activities. For a particular activity, an ISD can be responsible (R), accountable (A), consulted (C) or simply informed (I) [1].
The means of control proposed in CobiT meet control objectives. They implement a set of metrics allowing judging the achievement of the control objective. A control objective is defined in relation to the business goals and IT goals which are the objectives that stakeholders set for themselves within the framework of IS management processes.
In general, CobiT processes meet a set of 28 goals (ButCOBIT). Indicators (COBIT Indicator) measure the level of achievement of the goals.
This analysis led us to apply a conceptualization process, and to describe the whole study of the COBIT product in the following metamodel (Fig. 3):

V. OSTERLE PRINCIPLES
In order to differentiate scientific research from solutions designed by practitioners, Osterle [35] indicates that scientific research must be marked by abstraction, originality, justification and benefit.
1) Abstraction: This paper clarifies the notions that characterize the field of ISG and proposes a metamodel to determine the place of COBIT in the conceptualization of ISG. www.ijacsa.thesai.org 2) Originality: The proposed metamodel is not present in the body of knowledge of the domain.
3) Rationale: The proposed method for evaluating the model must justify the model. 4) Advantage: The COBIT framework allows a better conceptualization of the ISG and guarantees a better IT management for the company that adopts it.

VI. DISCUSSION
ISG includes the entire management system (processes, procedures, organization) used to steer IT. This concern is an expression of the desire to ensure corporate governance.
There are a large number of repositories that reflect the best practices, developed over the years. This may come as a surprise. The reality is that each of them starts from a particular concern: safety, quality, services offered to customers, auditing, project development, etc. [33]. This is unavoidable for each function to recognize itself in its own practices. At the same time, the question arises of setting up a single, global framework for the IT department that meets all expectations [33].
CobiT positions itself as both an audit reference and a governance reference. In terms of governance, it is immediately in line with the company's business lines and strategy. Beyond this positioning, CobiT is designed, developed and continuously improved to federate all ITrelated repositories.
As a repository for information systems governance, the scope of CobiT goes beyond the scope of information systems management to encompass all the stakeholders in the company's information systems.
Indeed, implementing the ISG processes is not an easy task, as its definition and concepts are not clear. In this context, this work aims to provide a global approach for the conceptualization of the ISG and a benchmark of good practices in this field.
Even though the number of researches dealing with the conceptualization of the ISG is increasing, there is no study that models the concept of ISG in a way that identifies the interesting role of the CobiT at the heart of this field.
It is therefore mandatory to build a shared representation of ISG concepts and to show how these concepts are structured within the CobiT framework.
The objective is to strengthen the professional literature by providing a machine-readable document for the ISG domain model. Then to the scientific literature that is interested in improving information systems governance frameworks by improving the understanding of the CobiT architecture.
Similarly, the main objective of the proposed metamodel, is to represent the ISG domain concepts, their properties, and relationships, to build a shared representation of ISG concepts between researchers and practitioners, to show how these concepts are reinforced by the CobiT framework, to make ISG knowledge reusable in similar IS engineering and management situations and to support the creation of new ISG models.

VII. CONCLUSION
In this article, authors have proposed a framework for the analysis of information systems governance (ISG), starting with a study of information systems standards and repositories, showing the link of these standards and repositories with the ISG. Then proceeding to the conceptualization of the ISG by proposing metamodel, then the ISG process, and finally the conceptualization of COBIT in order to highlight the need for research on the globality of the ISG. This work contributes, confirms and proposes a plus on the subject of IS governance.