Auditing Green IT Governance and Management With COBIT 5

IT Governance and Management
Author: J. David Patón-Romero, CISA, PMP, Maria Teresa Baldassarre, PMP, Moisés Rodríguez, CISA and Mario Piattini, CISA, CRISC, CISM, CGEIT, PMP
Date Published: 31 July 2019

Today’s organizations find themselves facing a relatively new challenge—governing and managing sustainability—since sustainability has become an important issue and is increasingly essential for business. Green IT practices help enterprises achieve and maintain ecosustainability. Like any other business practice, green IT can be optimized for value—not only to the business, but also to the broader community—when it is appropriately governed and managed. COBIT 5 offers an IT governance and management framework to help enterprises standardize and control green IT, so that it meets the expectations of the business.1, 2, 3 The case study herein offers one example for planning and conducting green IT audits to measure the enterprise’s progress toward green IT goals.

Understanding Green IT

Green IT reflects a broad array of technology and practices that helps enterprises conserve energy and natural resources; reduce or eliminate waste; reuse, recycle or repurpose materials, especially technology hardware and infrastructure; and design, implement and use information systems sustainably.

Green IT not only strives to reduce the negative impact that IT departments have on the environment,4 but also seeks to use information and technology (I&T) in ways that reduce environmental impact more broadly. Green IT, therefore, spans two overlapping but distinct conceptual domains:5

  • Green in information technology (green in IT)—As a producer of goods and services, enterprise IT itself has an impact on the environment: It consumes energy and technology artifacts (including both hardware and software), produces emissions, etc. Therefore, IT departments can implement green IT internally to produce more efficiently and consume more sustainably.
  • Green by information technology (green by IT)—As an enabler6 of efficient and sustainable practices, information and technology (I&T) can provide tools—the number and scope of which are virtually limitless—that facilitate sustainability outside the IT department, across the enterprise and beyond.

Auditing Green IT

Enterprises today often audit green IT from a business perspective rather than operational and/or technical perspectives. It is critical to distinguish between these approaches: Representing the business to customers and/or the general public in terms of sustainability is often a primary goal (i.e., reputation with respect to sustainability), compared with optimizing green IT practices at the operational and technical levels. Enterprises often regard reputation as a primary driver of business benefit. Figure 1 summarizes different objectives for conducting a green IT audit.

Figure 1

The scope of green IT audits is determined by the nature of the audit, whether green by IT or green in IT. If the audit evaluates sustainable practices implemented and/or executed in IT and intended to reduce the negative impact on the environment of IT itself, the audit reflects a green in IT audit, and the scope is reduced to the IT department.

If the audit evaluates sustainable practices implemented or facilitated by IT and intended to reduce the negative impact on the environment of other systems or business disciplines, the audit reflects a green by IT audit. Furthermore, the scope will encompass information and technology that are used for these purposes, as well as the systems/disciplines that are affected by them.

A Model Green IT Audit

An IT university services center (USC) in Mexico offers an ideal model for the green IT audit. Both the USC and the broader university are committed to ecosustainability and green IT. In fact, green IT is one of the university’s main disciplines and a critically important pillar within the USC: The university established a dedicated division and program for sustainable initiatives and the USC pursues continuous green innovation and improvement. Figure 2 lists some of the USC’s green IT practices prior to the audit.

Figure 2

Initially, the USC implemented green IT practices independently, without following any framework, in the absence of a global standard. After the adoption of the application of COBIT 5 for green IT, the USC had a framework to follow.

The model audit was intended not only to evaluate, but also to help standardize USC practices relative to COBIT 5. Because the USC implemented both green-in-IT and green-by-IT practices, the model audit proceeded along dual tracks, auditing (in both cases) the first two levels of the maturity model shown in figure 5.

To audit these two levels, the analysis of a series of green IT activities defined in each of the practices of the COBIT 5 processes was conducted. To analyze these activities, a checklist with audit questions was followed, as shown in figure 3 with the example of the green-in-IT audit questions of the process BAI09 Manage assets.

Figure 3

The audit of the first two maturity levels (of both green-in-IT and green-by-IT tracks) identified certain strengths and opportunities for improvement in each of the processes audited (figure 4).

Figure 4

After analyzing results for the audited processes and considering the maturity model, auditors determined that the USC partially achieved level 1 maturity in both the green in IT and green by IT tracks. Figure 5 illustrates by way of example detailed results for the green in IT track.

Figure 5

To determine the level of compliance of each COBIT 5 process, auditors evaluated a series of activities that are specific to green IT (defined during the auditors’ prior exercise adapting COBIT 5 to green IT7) for compliance with the practices and processes that COBIT 5 establishes. Complying with green IT activities indicates that practices are fulfilled and, therefore, each related process is also fulfilled. Where the USC did not fully comply with green IT activities, the auditors indicated possible solutions to achieve compliance. For example, with respect to process BAI09 Manage assets, auditors identified the deficiencies shown in figure 6.

Figure 6

Based on figure 5, it is clear that for the USC to meet maturity level 1, it must fully comply with process BAI09.

Conclusion

Green IT is not a utopian ideal. It is real, and it is here to stay. It provides great benefits to organizations, society and the environment. Green IT still has not been acknowledged to the degree it deserves—and there are not enough frameworks and standards to help enterprises understand and implement it. The standards and frameworks developed by ISACA, such as COBIT 5, are appropriate and adaptable to emerging practices such as green IT. Armed with appropriate standards and frameworks, auditors can be the engine of change for sustainability in and by IT.

Endnotes

1 ISACA, COBIT 5, USA, 2012, xhrj.yutb.net/COBIT/Pages/COBIT-5.aspx
2 Braga, G.; “The Time for Sustainable Business Is Now: Leveraging COBIT 5 in Sustainable Businesses,” ISACA Journal, vol. 3, 2015, http://xhrj.yutb.net/archives
3 Patón-Romero, J. D.; M. T. Baldassarre; M. Piattini; I. García Rodríguez de Guzmán; “A Governance and Management Framework for Green IT,” Sustainability, vol. 9, iss. 10, 2017 p. 1761, http://dx.doi.org/10.3390/su9101761. Patón-Romero, et al., discuss generic aspects of governance and management critical to green IT.
4 Deng, Q.; S. Ji; “Organizational Green IT Adoption: Concept and Evidence,” Sustainability, vol. 7, iss. 12, 2015, http://dx.doi.org/10.3390/su71215843
5 Erdélyi, K.; “Special Factors of Development of Green Software Supporting Eco Sustainability,” IEEE 11th International Symposium on Intelligent Systems and Informatics (SISY), 2013, http://ieeexplore.ieee.org/document/6662597
6 Unhelkar, B.; Green IT Strategies and Applications: Using Environmental Intelligence, CRC Press, USA, 2011, http://www.crcpress.com/Green-IT-Strategies-and-Applications-Using-Environmental-Intelligence/Unhelkar/p/book/9781439837801
7 Op cit Patón-Romero

J. David Patón-Romero, CISA, PMP
Is a Ph.D. student in advanced information technologies at the University of Castilla-La Mancha (Spain), and computer science and mathematics at the University of Bari Aldo Moro (Italy). He is also a consultant/auditor at the accredited laboratory for software quality assessment AQCLab. His research interests include governance, management and auditing of green IT.

Maria Teresa Baldassarre, PMP
Is currently an assistant professor at the University of Bari Aldo Moro (Italy) and a partner at Software Engineering Research and Practices. Her research interests focus on empirical software engineering, harmonization of multiple improvement models, quality assessment and improvement in software. She collaborates on several research projects and carries out controlled and in-field experimentation within small and medium enterprises. She is a partner of the SER and Practices spin-off company. Currently, she is the representative of the University of Bari in the International Software Engineering Research Network (ISERN) and is involved in various program committees related to software engineering and empirical software engineering international conferences.

Moisés Rodríguez, CISA
Is the chief executive officer (CEO) of the accredited laboratory for software quality assessment AQCLab.

Mario Piattini, CISA, CRISC, CISM, CGEIT, PMP
Is full professor at the Escuela Superior de Informática of the University of Castilla-La Mancha (Spain). He leads the ALARCOS research group and his research interests include software engineering and information system quality.