Auditing Green IT Governance and Management With COBIT 5

Today’s organizations find themselves facing a relatively new challenge—governing and managing sustainability—since sustainability has become an important issue and is increasingly essential for business. Green IT practices help enterprises achieve and maintain ecosustainability. Like any other business practice, green IT can be optimized for value—not only to the business, but also to the broader community—when it is appropriately governed and managed. COBIT 5 offers an IT governance and management framework to help enterprises standardize and control green IT, so that it meets the expectations of the business.^{1, 2, 3} The case study herein offers one example for planning and conducting green IT audits to measure the enterprise’s progress toward green IT goals.

Understanding Green IT

Green IT reflects a broad array of technology and practices that helps enterprises conserve energy and natural resources; reduce or eliminate waste; reuse, recycle or repurpose materials, especially technology hardware and infrastructure; and design, implement and use information systems sustainably.

Green IT not only strives to reduce the negative impact that IT departments have on the environment,⁴ but also seeks to use information and technology (I&T) in ways that reduce environmental impact more broadly. Green IT, therefore, spans two overlapping but distinct conceptual domains:⁵

• Green in information technology (green in IT)—As a producer of goods and services, enterprise IT itself has an impact on the environment: It consumes energy and technology artifacts (including both hardware and software), produces emissions, etc. Therefore, IT departments can implement green IT internally to produce more efficiently and consume more sustainably.
• Green by information technology (green by IT)—As an enabler⁶ of efficient and sustainable practices, information and technology (I&T) can provide tools—the number and scope of which are virtually limitless—that facilitate sustainability outside the IT department, across the enterprise and beyond.

Auditing Green IT

Enterprises today often audit green IT from a business perspective rather than operational and/or technical perspectives. It is critical to distinguish between these approaches: Representing the business to customers and/or the general public in terms of sustainability is often a primary goal (i.e., reputation with respect to sustainability), compared with optimizing green IT practices at the operational and technical levels. Enterprises often regard reputation as a primary driver of business benefit. Figure 1 summarizes different objectives for conducting a green IT audit.

The scope of green IT audits is determined by the nature of the audit, whether green by IT or green in IT. If the audit evaluates sustainable practices implemented and/or executed in IT and intended to reduce the negative impact on the environment of IT itself, the audit reflects a green in IT audit, and the scope is reduced to the IT department.

If the audit evaluates sustainable practices implemented or facilitated by IT and intended to reduce the negative impact on the environment of other systems or business disciplines, the audit reflects a green by IT audit. Furthermore, the scope will encompass information and technology that are used for these purposes, as well as the systems/disciplines that are affected by them.

A Model Green IT Audit

An IT university services center (USC) in Mexico offers an ideal model for the green IT audit. Both the USC and the broader university are committed to ecosustainability and green IT. In fact, green IT is one of the university’s main disciplines and a critically important pillar within the USC: The university established a dedicated division and program for sustainable initiatives and the USC pursues continuous green innovation and improvement. Figure 2 lists some of the USC’s green IT practices prior to the audit.

Initially, the USC implemented green IT practices independently, without following any framework, in the absence of a global standard. After the adoption of the application of COBIT 5 for green IT, the USC had a framework to follow.

The model audit was intended not only to evaluate, but also to help standardize USC practices relative to COBIT 5. Because the USC implemented both green-in-IT and green-by-IT practices, the model audit proceeded along dual tracks, auditing (in both cases) the first two levels of the maturity model shown in figure 5.

To audit these two levels, the analysis of a series of green IT activities defined in each of the practices of the COBIT 5 processes was conducted. To analyze these activities, a checklist with audit questions was followed, as shown in figure 3 with the example of the green-in-IT audit questions of the process BAI09 Manage assets.

The audit of the first two maturity levels (of both green-in-IT and green-by-IT tracks) identified certain strengths and opportunities for improvement in each of the processes audited (figure 4).

After analyzing results for the audited processes and considering the maturity model, auditors determined that the USC partially achieved level 1 maturity in both the green in IT and green by IT tracks. Figure 5 illustrates by way of example detailed results for the green in IT track.

To determine the level of compliance of each COBIT 5 process, auditors evaluated a series of activities that are specific to green IT (defined during the auditors’ prior exercise adapting COBIT 5 to green IT⁷) for compliance with the practices and processes that COBIT 5 establishes. Complying with green IT activities indicates that practices are fulfilled and, therefore, each related process is also fulfilled. Where the USC did not fully comply with green IT activities, the auditors indicated possible solutions to achieve compliance. For example, with respect to process BAI09 Manage assets, auditors identified the deficiencies shown in figure 6.

Based on figure 5, it is clear that for the USC to meet maturity level 1, it must fully comply with process BAI09.

Conclusion

Green IT is not a utopian ideal. It is real, and it is here to stay. It provides great benefits to organizations, society and the environment. Green IT still has not been acknowledged to the degree it deserves—and there are not enough frameworks and standards to help enterprises understand and implement it. The standards and frameworks developed by ISACA, such as COBIT 5, are appropriate and adaptable to emerging practices such as green IT. Armed with appropriate standards and frameworks, auditors can be the engine of change for sustainability in and by IT.

Endnotes

¹ ISACA, COBIT 5, USA, 2012, www.isaca.org/COBIT/Pages/COBIT-5.aspx
² Braga, G.; “The Time for Sustainable Business Is Now: Leveraging COBIT 5 in Sustainable Businesses,” ISACA Journal, vol. 3, 2015, https://www.isaca.org/archives
³ Patón-Romero, J. D.; M. T. Baldassarre; M. Piattini; I. García Rodríguez de Guzmán; “A Governance and Management Framework for Green IT,” Sustainability, vol. 9, iss. 10, 2017 p. 1761, https://dx.doi.org/10.3390/su9101761. Patón-Romero, et al., discuss generic aspects of governance and management critical to green IT.
⁴ Deng, Q.; S. Ji; “Organizational Green IT Adoption: Concept and Evidence,” Sustainability, vol. 7, iss. 12, 2015, https://dx.doi.org/10.3390/su71215843
⁵ Erdélyi, K.; “Special Factors of Development of Green Software Supporting Eco Sustainability,” IEEE 11^th International Symposium on Intelligent Systems and Informatics (SISY), 2013, https://ieeexplore.ieee.org/document/6662597
⁶ Unhelkar, B.; Green IT Strategies and Applications: Using Environmental Intelligence, CRC Press, USA, 2011, https://www.crcpress.com/Green-IT-Strategies-and-Applications-Using-Environmental-Intelligence/Unhelkar/p/book/9781439837801
⁷ Op cit Patón-Romero