Next Article in Journal
AI-Assisted Documentation: An Implosion Animation Method for CAD Designs
Previous Article in Journal
Architecture for Managing Autonomous Virtual Organizations in the Industry 4.0 Context
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Computers
Volume 14
Issue 12
10.3390/computers14120520
computers-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Evolution and Perspectives in IT Governance: A Systematic Literature Review

by
Álvaro Vaya-Arboledas
,
Mikel Ferrer-Oliva
and
José Amelio Medina-Merodio
*
Departamento de Ciencias de la Computación, Universidad de Alcalá, 28871 Madrid, Spain
*
Author to whom correspondence should be addressed.
Computers 2025, 14(12), 520; https://doi.org/10.3390/computers14120520
Submission received: 18 October 2025 / Revised: 21 November 2025 / Accepted: 26 November 2025 / Published: 28 November 2025
Browse Figures
Versions Notes

Abstract

The study presents a systematic review of the state of the art on Information Technology (IT) governance research. Following the PRISMA 2020 protocol and drawing on Scopus and Web of Science, covering publications from 1999 to May 2025, 380 relevant articles were identified, analysed and categorised. A bibliometric analysis supported by tools such as VOSviewer and SciMaT mapped the principal thematic strands, influential authors and institutions, and revealed research gaps. The results indicate a consolidated field in which resource allocation, industrial management, strategic alignment and board-level IT governance operate as driving themes, while information management, the configuration of the IT function and the regulatory nexus between laws and information security remain emerging areas. The conclusions emphasise the theoretical implications of clarifying how IT governance shapes IT investment and initiative prioritisation, sectoral configurations and strategic alignment, and the practical implications of using these mechanisms to design and refine governance structures, processes and metrics in regulated organisations so that value creation risk control and accountability are more explicitly aligned.

1. Introduction

Over recent decades, Information Technology (IT) has become a fundamental component of organisations across the public and private sectors [1]. This widespread integration has introduced growing complexity in the management of digital resources, security, information value, risk exposure and technological dependence [2,3]. In this context, IT governance has emerged as a key field to ensure that technology-related decisions align with organisational interests [4]. These decisions are channelled through data that are stored electronically in IT systems in accordance with UNE-ISO/IEC 38500 [5].
Recent studies show that in organisations with a mature IT governance model, the technology function is viewed as strategic for overall business performance [6]. Trujillo-Lambert et al. [7] report that 95% of SMEs with high levels of IT governance implementation consider it essential to their corporate strategy, which underscores the central role of this domain.
Over the past two decades four core concepts have shaped research in this field and explain the maturation of the discipline:
  • Consolidation of regulatory frameworks and good practices, including widely adopted models such as COBIT (from version 5 to its 2019 iteration) [8], COSO [9], ITIL [10] and international standards such as UNE-ISO/IEC 38500 [5].
  • Digital capability, where the expansion of technologies such as cloud computing, data analytics and artificial intelligence has introduced new challenges that require alignment between the application architecture and governance mechanisms [11], leading to greater board-level engagement in system modernisation [12].
  • Organisational resilience, which became particularly salient during the COVID-19 pandemic and accelerated the need for more agile and risk-oriented governance frameworks [13].
  • The Sustainable Development Goals (SDGs), which have increasingly influenced IT governance through the integration of social and environmental value creation [14]. In recent years “green governance” frameworks have emerged that link transparency, performance and alignment with the 2030 Agenda [15].
Taken together, these concepts define a research field marked by the convergence of technological, financial and sustainability-oriented approaches. This convergence justifies a systematic review aimed at analysing the evolution of the area, identifying the main contributors and outlining future research avenues. At the same time, these drivers have not only supported academic development but have also generated tensions that reinforce the need for a systematic examination of the state of the art.
Within this landscape, research on IT governance has expanded rapidly in recent years, driven in particular by the spread of frameworks such as COBIT and UNE-ISO/IEC 38500 [16], the broader processes of digitalisation [17] and heightened exposure to cyber risk [18]. While this dynamism is positive, it has also produced a fragmented panorama, with studies dispersed across sectors, countries, disciplines, metrics and governance dimensions, which hinders the consolidation of a cohesive body of knowledge for scholars and practitioners [19]. This fragmentation can be summarised in several key aspects:
  • Inconsistent findings, where the diversity of governance mechanisms and frameworks yields contradictory evidence. For example, Abass et al. [9] argue that integrating COBIT and COSO can be applied across sectors without modification, whereas Akbari et al. [11] emphasise the importance of coherence between systems architecture and IT governance structures.
  • Empirical evidence concentrated in specific contexts, which limits the exploration of alternative governance mechanisms in under-studied environments.
  • The theory–practice gap, which highlights the need for more adaptive frameworks, synthesis of existing evidence and actionable recommendations.
  • New sustainability agendas, which broaden the scope and dimensions of IT governance in ways not yet fully addressed by recent reviews.
In response, this study proposes a systematic literature review based on the PRISMA protocol [20,21,22] and supported by tools such as VOSviewer [23,24,25] and SciMAT [26,27], with the aim of integrating, consolidating and assessing academic production on IT governance to provide a foundation for the design of decision making frameworks that maximise value in line with current trends.
Accordingly, the main objective is to develop a state of the art that consolidates dispersed findings and reveals patterns of professional practice by identifying the governance mechanisms that generate value, thereby guiding future research and prioritising under-explored areas.
This requires a systematic review capable of identifying patterns and gaps in the existing literature. To address this need, the study formulates five research questions (RQs):
  • RQ1: How has scientific output on IT governance evolved between 1999 and 2025? This question focuses on the temporal evolution of publications indexed in Scopus and Web of Science (WoS).
  • RQ2: Which authors, institutions and countries hold the greatest academic influence? This question seeks to identify knowledge hubs through bibliometric indicators.
  • RQ3: What are the principal driving themes in the IT governance literature? This involves classifying dominant research streams and their interrelations.
  • RQ4: What are the main emerging thematic lines in IT governance research? The aim is to identify trends and new areas for exploration.
  • RQ5: What are the principal thematic groups found in the IT governance literature? This question focuses on clustering key areas and understanding their interconnections.
The article is structured as follows. Section 2 develops the literature review and theoretical framework, establishing key concepts, reference models and critical success variables in IT governance. Section 3 describes the research methodology, detailing the systematic review process and the bibliometric tools applied. Section 4 presents the results derived from the analysis and addresses the research questions through empirical evidence. Section 5 discusses the findings and sets out the main conclusions and implications for future research.

2. Literature Review and Theoretical Framework

This chapter examines the foundational pillars of IT governance. It begins by delimiting the concept and its scope and reviews key definitions from AENOR [5], ISACA [28] and Weill and Ross [29]. These sources frame IT governance as a structured system for directing and controlling technological resources to generate value. The discussion then turns to the operationalisation of these ideas through internationally accepted reference frameworks. Among them are COBIT 2019 [28] and UNE-ISO/IEC 38500 [5], which provide the principles and structures that translate governance theory into practice. Finally, the analysis focuses on critical success variables and performance metrics that determine the effectiveness of IT governance [30]. It identifies the essential factors required for the chosen governance model to deliver the expected benefits [31,32].

2.1. Key Factors and Organisational Impacts of IT Governance

The implementation of IT governance depends on the systematic identification and strategic management of critical factors that condition its effectiveness across sectors and geographical contexts [33]. Empirical evidence shows that organisational politics and formal monitoring and evaluation mechanisms are central determinants of successful adoption. This is especially true in public institutions where they directly shape strategic planning and investment management [34,35]. In corporate settings, factors such as IT strategy, integrated risk management, performance measurement and governmental support are decisive for establishing effective governance [36]. Cultural dimensions including uncertainty avoidance and levels of institutional individualism also influence the design of organisational structures and coordination mechanisms [37]. These findings confirm that IT governance is a contingent phenomenon that depends on contextual and cultural variables which must be addressed carefully to achieve sustainable outcomes [38,39,40,41,42].
The organisational impacts of IT governance are equally significant. They relate to strategic value creation and measurable improvements in organisational performance [43]. Cost reduction, organisational agility, information security and the strategic reallocation of resources are mechanisms that strengthen governance effectiveness. This is particularly evident when governance relies on relational arrangements such as those typical of cloud computing environments [44]. Organisations that adopt structured governance practices report notable gains in financial returns, especially in the early years after implementation [45]. Institutional factors such as the creation of dedicated IT executive roles act as catalysts for optimising returns on investment in the public sector [46]. At the operational level, senior management commitment and structured decision making mechanisms amplify the benefits of technology investment [7,47]. Consequently, effective governance becomes a key engine for aligning technology processes with business objectives and for maximising the value of investments [48,49,50].
Analyses of mediating and moderating factors explain how IT governance translates into tangible outcomes [51]. Organisational innovation and dynamic capabilities emerge as key mediators between governance and strategic agility [52,53]. Recent studies show that effective governance can positively moderate the relationship between strategic alignment and performance, although negative effects appear under conditions of severe misalignment [54]. Evidence also indicates that agility, operational capabilities and outsourcing decisions shape the impact on financial results [55]. Other work highlights contextual conditions such as decentralised governance or market turbulence as boundary factors that affect effectiveness [56,57,58]. The literature further shows that different alignment modes—hierarchical, market or network—produce differentiated effects on efficiency, growth and innovation [59,60].
The maturity of IT governance is another determinant of sustainable organisational impact [61]. Regular audits and clearly defined IT policies foster progress towards higher levels of sophistication. A lack of leadership, resource constraints and cultural rigidity operate as inhibitors [62,63,64,65]. Contextual factors also matter. Ownership type, level of economic development and alignment between IT and business areas influence outcomes [66,67,68]. Organisational transparency and knowledge management strengthen accountability and institutional responsiveness [69,70,71]. The literature confirms that higher maturity correlates with better service quality, competitiveness and strategic alignment. It also supports public policy implementation and reduces security risk [72].
In this setting, IT governance also acts as a fundamental mediator between corporate mechanisms and strategic outcomes. Evidence shows contributions to business continuity and institutional transparency, especially in crises such as the COVID-19 pandemic [73,74]. Differences in the disclosure of governance information reflect institutional environments and underscore the relevance of performance measurement to foster sustainable business practice [75]. Traditional models can nonetheless prove insufficient in sectors such as education or security, where adaptations are needed to address structural and long-term challenges [51,76,77]. Overall, systematic reviews reaffirm that the essence of governance rests on people, processes and products, while its implications increasingly extend to intra- and inter-organisational relationships [78]. Finally, the literature identifies additional variables that either enable or hinder implementation. These include knowledge sharing, technological compatibility, infrastructure flexibility and top-management support [79,80,81,82,83,84,85,86].
In terms of outcomes, the evidence confirms that effective governance yields operational and strategic benefits. These include system longevity, improved profitability, enhanced technological performance, stronger post-ERP operations and sustained competitive advantage [11,87,88,89,90,91]. Recent studies also stress enablers such as data privacy, process analytics and gap assessment as critical elements for designing effective frameworks that ensure long-term organisational value creation [92,93,94,95,96,97].

2.2. Reference Frameworks and Methodological Evolution

Specialised methodological frameworks and advanced technical tools are foundational to translating the theoretical principles of IT governance into operational practices within complex and dynamic organisations [98]. In this vein, the Viable System Model (VSM) supports alignment between organisational and technological components, facilitating adaptation and value generation in high-variability contexts [99,100]. Real-options-based, real-time decision frameworks have likewise been designed to appraise IT investments strategically, integrating critical control elements such as process quality and resource allocation [101]. Complementarily, tools such as CAT5 enable maturity measurement with COBIT 5 and continuous-improvement processes [102]. In parallel, scholars emphasise the need to integrate frameworks such as VAL IT to build performance-management metamodels, while the selective adoption of ITIL, Val IT and PMBOK covers most organisational processes [103].
The evaluation of IT governance maturity has evolved towards structured methodologies grounded in internationally recognised frameworks, enabling precise and comparable diagnostics [104,105]. In this area, the applicability of COBIT has been validated in banking and government sectors, showing that many organisations reach intermediate maturity levels yet display shortcomings in automation and formal policies [61]. The value of combining quantitative metrics with qualitative assessments has also been highlighted, broadening the practical utility of diagnostics [72]. Other studies confirm significant gaps in public libraries, government offices and computer networks, where most organisations remain at maturity levels 2 to 3 [106,107,108,109].
Applying maturity frameworks in specific contexts underscores the importance of methodological adaptations that consider cultural, regulatory and sectoral dimensions [68]. In the banking sector, substantial differences have been identified between private and public institutions in terms of strategic alignment and policy formalisation [110,111,112]. In higher education, holistic frameworks based on ITIL and ISO/IEC support transitions towards mature governance in outsourced and cloud services [106,109]. Applications in public administration document predominantly initial maturity levels with a need for substantial improvement [63,70,71]. Other studies show that factors such as national culture and resource availability influence the levels achieved in industries in Korea, Ecuador and Brazil [64,65,67,113].
Normative standards and regulatory frameworks for IT governance provide guidance for implementing structured and comparable practices [9]. The integration of COBIT and COSO contributes to corporate governance and audit readiness, while COBIT facilitates compliance with regulations such as the King III Report [114]. In SME contexts, conceptual frameworks have been developed that incorporate factors such as organisational culture and demographics, integrating the Balanced Scorecard to assess performance impact [115,116]. Likewise, the UNE-ISO/IEC 38500 standard enables the articulation of IT with strategic objectives under diverse regulatory settings [75,117]. Nevertheless, some studies show that many executives lack preparedness in IT control, underscoring the need to strengthen governance competencies [118,119].
Structural and process mechanisms are essential to operationalise IT governance [120]. COBIT domains differentially influence resources and information criteria, while strategic committees and IT leadership emerge as key factors in educational institutions [121]. In outsourcing, evidence points to a shift from intra- to inter-organisational models [122], whereas in corporate contexts structural mechanisms positively affect profitability [123]. Other approaches such as STOPE provide integrative controls to identify strengths and weaknesses [124,125]. In collaborative governance, board participation and communicative coordination are important [80,88,126].
Finally, the evolution of governance frameworks shows a trend towards hybrid and complementary models [127,128]. The adoption of ITIL and COBIT examined through the lens of UTAUT underlines their central role in ICT efficiency [129]. Integrating ITIL with EFQM helps address measurement limitations in COBIT [130,131]. Emerging frameworks such as IT4IT™ have also been analysed, alongside the incorporation of environmental sustainability and adaptive control [132,133,134]. Overall, COBIT exhibits internal consistency and strong potential for future research on implementation effectiveness [135,136,137].

2.3. Strategic Alignment and Organisational Effectiveness in IT Governance

IT governance has consolidated as a critical domain to secure coherence between technological resources and organisational objectives, extending beyond operational management towards a strategic approach to direction and control. In this regard, prior studies argue that IT governance integrates mechanisms oriented to strategic alignment, value creation, risk management and the evaluation of business performance [138,139].
How governance manifests depends on organisational, sectoral and geographical specificities, which calls for adaptive approaches. Research in financial, public, higher-education and healthcare settings shows that governance effectiveness is configured differently across contexts. This confirms the importance of variables such as organisational size, industry, technological maturity and institutional culture [36,37,38,140,141,142,143]. This contextual perspective has enabled the development of adaptive frameworks that increase the likelihood of successful implementation [7,39,46].
One of the most developed lines of inquiry examines the impact of governance on organisational, financial and technological performance. Evidence shows that IT governance promotes innovation and efficiency through strategic alignment and that it acts as a mediator in improving business outcomes [52,144]. Its positive influence on financial indicators such as Return on Assets (ROA) and Return on Equity (ROE) is amplified where managerial experience in IT is limited, particularly in emerging markets [145,146]. Governance has also been shown to strengthen dynamic capabilities, increase organisational agility and improve productivity in sectors such as healthcare and cloud services [55,147,148,149].
The recent literature converges on the view that IT governance is a strategic component of corporate governance, integrating normative dimensions with sector-specific applications. This multidimensional character has enabled analysis of the interplay between strategic alignment, reference frameworks and impact evaluation on organisational results [73,78,150].
Business–IT strategic alignment remains a central challenge. Empirical evidence indicates that governance directly shapes coherence between business objectives and technological capabilities, with the credibility of IT emerging as a decisive factor for organisational trust [74]. Theoretical models suggest that alignment can take functional, structural and temporal forms, each with distinct effects on competitiveness and flexibility [151,152]. Social alignment and top-management support are likewise highlighted as key conditions for improving integration between business units and technology areas [51,153]. In parallel, frameworks such as the SAM alignment model and requirements-engineering methodologies have proved useful in academic and collaborative contexts [119,154].
The effectiveness of governance is reflected in business continuity, transparency and strategic value generation. During the pandemic, IT governance critically mediated organisational responsiveness when corporate mechanisms were insufficient [73]. Complementary studies show that measuring IT performance and disclosing results are essential practices for sustaining the enterprise [75]. Effectiveness in sectors such as universities and public security also depends on decisions regarding the centralisation or decentralisation of technological controls [76,77].
In SMEs and collaborative networks, the evidence indicates that relational governance mechanisms outperform structural ones, with technological flexibility and system compatibility proving decisive for higher degrees of alignment [81,82,84].
Finally, stakeholder management and inter-organisational coordination have emerged as critical dimensions for ensuring governance effectiveness. Recent research shows that environmental turbulence positively moderates these relationships, underscoring the importance of communication practices, partnering and the comprehensive adoption of principles such as those proposed by COBIT [155,156,157].

3. Methodology

3.1. Introduction

To address the issues outlined above, a systematic literature review is required. Systematic reviews constitute a comprehensive research method that evaluates prior studies and their data to derive empirical evidence for answering predefined research questions [158].
A widely accepted approach is the PRISMA protocol (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) [20,21,22]. PRISMA sets out clear steps and guidance to ensure transparency and reproducibility through four phases: identification, screening, eligibility and inclusion [22]. Adhering to this structure ensures the transparency and reproducibility noted above and has been adopted in recent studies that combine systematic review with bibliometric analysis [159].
Once the PRISMA inclusion phase was completed, two complementary tools were used in the analysis stage:
  • VOSviewer: Employed to conduct a bibliometric co-occurrence analysis of keywords [23,24,25].
  • SciMAT: Used as an advanced science-mapping tool to examine thematic evolution over time via co-word analysis and strategic diagrams [26,27].
The following section describes the literature identification process.

3.2. Literature Identification

The validity of a bibliometric search depends heavily on the representativeness of the databases selected for the study [160]. Literature retrieval is one of the earliest and most essential tasks in preparing the review. For this work, searches were carried out in the Web of Science (WoS) and Scopus databases. The two sources differ in coverage: for example, Scopus tends to index more European journals and works in the social sciences, whereas WoS applies stricter inclusion criteria [161]. Using both in tandem strengthens the comprehensiveness of identification, since a small proportion of unique records appear only in one database [162].
The search strategy was designed to be broad and sensitive, prioritising the retrieval of a large pool of potentially relevant documents. This decision accords with methodological recommendations in the review literature, which warn that overly restrictive strings using complex logical operators (for example, queries combining many OR and AND operators) may omit key results [159]. In order to maximise recall and maintain cross-database comparability, we intentionally employed generic, framework-agnostic descriptors. The COBIT 2019 term enterprise governance of IT (EGIT) is an equivalent expression; however, ‘EGIT’ was not included in the query to avoid framework-specific narrowing and to preserve comparability between WoS (Web Of Science) and Scopus.
Accordingly, the query combined the core concept “IT governance” with the more explicit expression “information technology governance”:
Query: “IT governance” OR “information technology governance”
The search was limited to the period 1999–2025. Execution of the query returned the following:
  • Web of Science: 1598 results.
  • Scopus: 2739 results.
In total, 4337 combined records were retrieved from the two databases.

3.3. Screening and Eligibility

Once the 4337 records had been retrieved from WoS and Scopus, the screening and eligibility phase was conducted in line with PRISMA guidance [20,21,22]. Clear inclusion and exclusion criteria were first specified for the review together with an explicit justification for each [163].
The exclusion criteria were as follows:
  • Duplicates: Items appearing in both databases or duplicated within the same database.
  • Conference papers and proceedings: Excluded because, while potentially informative, they do not generally meet the rigour of peer-reviewed journal articles.
  • Literature reviews: Excluded to avoid conducting a review of reviews and introducing bias.
  • Books or book chapters: Excluded because they hinder reproducibility of search and analysis and are less consistently indexed and peer reviewed.
  • Not written in English: Excluded for linguistic uniformity and to avoid complications for tools such as SciMAT and VOSviewer.
Accordingly, the review focused on peer-reviewed journal articles in English published between 1999 and 2025. The screening process applying these eligibility criteria is summarised in Figure 1, which presents the PRISMA flow diagram generated with the “PRISMA Flow Diagram tool” [164].
The databases returned 4337 records, of which 1359 were identified as duplicates, leaving 2978 items. Of these, 2026 were excluded for the following reasons:
  • Conference papers and proceedings: 1625 records removed.
  • Literature reviews: 49 records removed.
  • Books or book chapters: 245 records removed.
  • Language not applicable: 98 records removed.
After this screening, 952 articles remained for potential inclusion and moved to in-depth assessment. Abstracts and titles were read in detail and, where necessary, full texts were consulted to determine final inclusion. The reasons for exclusion at this final stage were the following:
  • Articles addressing other types of governance: 64 records excluded (e.g., data governance, security governance, AI governance). In most cases IT governance was mentioned only as an example while the primary focus was another governance domain.
  • Articles addressing IT-related topics without an IT governance focus: 80 records excluded (e.g., sectoral technology issues in agriculture, education, healthcare or the public sector framed as digital transformation rather than IT governance).
  • Articles on Green IT: 17 records excluded where IT governance was treated primarily as a tool for environmental objectives.
  • Articles without an abstract: 50 records excluded. Systematic reviews require sufficient information to assess relevance and the absence of an abstract can undermine transparency [158].
  • Articles in which IT governance played a secondary or mediating role: 361 records excluded (e.g., term comparisons, teaching IT governance, or examining the impact of IT on political governance).
In this final pass, 572 articles were excluded, leaving 380 articles for the final analysis. This corpus was then used for the bibliometric analyses with SciMAT v1.1.06 and VOSviewer 1.6.20 and to derive the results that address the stated research questions.

3.4. Co-Word Analysis

Co-word analysis is central in systematic reviews of this kind. It identifies the conceptual structure of a scientific field and its evolution over time and allows strategic themes to be visualised in diagrammatic or network form [20,21]. It also supports the delineation of thematic areas within a given research domain [26].
To ensure validity, a lexical normalisation process was conducted. Synonyms were grouped, singular and plural variants were unified, and distinct terms with the same meaning were harmonised. This reduces term dispersion and improves the quality of the bibliometric analysis [165].
After normalisation, SciMAT clusters terms into thematic groups using algorithms that consider both co-occurrence frequency and semantic relations, positioning them on the strategic diagram according to density and centrality [26]. This is complemented by VOSviewer, which constructs keyword co-occurrence networks and graphically represents connections between items as interrelated node graphs [25].

4. Results of the Review

Following the data collection described above, this section reports the results that address the research questions.

4.1. Number of Publications (RQ1)

From the final sample of 380 articles obtained through the systematic review, results span the years 1999 to 2025. Figure 2 shows the temporal evolution of the field in terms of publication counts. There is an initial growth phase up to 2008 followed by marked expansion until 2013. Since 2014, output has remained stable, albeit with some oscillations, averaging between 20 and 30 publications per year. This stability suggests consolidation of the field. For 2025, counts reflect items indexed up to May only and the lower value observed is attributable to this partial-year window.
This trajectory is consistent with prior studies such as Falchi de Magalhães et al., [166], who describe IT governance as a progressively evolving and multidisciplinary field with strong economic development. A clear inflexion point occurred in 2020 in the wake of the COVID-19 pandemic. Authors such as Gewald and Wagner [167] emphasise the need for more adaptive and resilient governance models. Together these studies support the view that, despite the apparent stability since 2013, IT governance has achieved thematic maturity while continuing to evolve in response to new challenges.

4.2. Authors, Institutions and Countries (RQ2)

Understanding the maturity of a scientific field requires identifying the people, institutions and countries that have contributed most. For IT governance, the bibliometric analysis described earlier allows the following questions to be addressed:
  • Most relevant authors: Those who have contributed most as measured by productivity (total number of publications), citations and H-index.
  • Leading institutions and journals: The research groups and outlets that have contributed most to IT governance as measured by the total number of publications.
  • Geographical distribution of scientific output: The principal contributing countries, indicating higher innovative and financial capacity.

4.2.1. Leading Authors

Using SciMAT and VOSviewer, essential author-level information was compiled. Across the 380 articles analysed, a total of 864 individual authors were identified, many of whom co-author together. From these, the ten most relevant authors were examined based on their h-index. Table 1 lists the ten authors in descending order of h-index. The data were retrieved from Scopus and include the author’s h-index, total publications, the most influential IT governance publication, citation count for that publication, Scopus accessibility and DOI.
Among these, Turel and Bart [58] stand out with an h-index of 52 and a total of 284 publications. Their most cited IT governance paper is “Board-level IT governance and organizational performance” [58], which has received 95 citations and consolidates their role in research on organisational leadership and performance in the IT governance context.
Hidayanto are the most productive, with 472 publications and an h-index of 28. Their most relevant contribution is “Important factors in information technology governance awareness: An empirical survey of the expert’s opinion in Indonesia” [168], which focuses on expert perceptions of critical success factors in the Indonesian context.
De Haes and van Grembergen [169] mark a milestone in the study of strategic alignment with their joint publication “An exploratory study into IT governance implementations and its impact on Business/IT alignment” [169], which has accrued 416 citations. Both authors have been pivotal in the consolidation of the COBIT framework.
Other notable contributors include Ilmudeen [170], Prasad et al. [171], Joshi et al. [43] and Yudatama et al. [172], whose work spans governance maturity, governance effectiveness and success factors in IT governance implementation.
Table 1. Most cited authors.
Table 1. Most cited authors.
AuthorH-IndexPublicationsMost Cited Article on IT GovernanceCitationsDateFree Access in ScopusDOI
Turel, Ofir [58]52283Board-level IT governance and organizational performance952014No10.1057/ejis.2012.61
Green, Pete [173]3193Effective information technology (IT) governance mechanisms: An IT outsourcing perspective144201210.1007/s10796-009-9183-y
Hidayanto, Achmad Nizar [168]28472Important factors in information technology governance awareness: An empirical survey of the expert’s opinion in Indonesia7201910.3844/jcssp.2019.1065.1073
Bart, Christopher Kenneth [58]2766Board-level IT governance and organizational performance952014No10.1057/ejis.2012.61
Van Grembergen, Wim [169]1870An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment4162009No10.1080/10580530902794786
De Haes, Steven [169]1695An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment4162009No10.1080/10580530902794786
Aboobucker, Ilmudeen [170]1124Information technology (IT) governance and IT capability to realize firm performance: enabling role of agility and innovative capability232022No10.1108/BIJ-02-2021-0069
Prasad, Acklesh [174]933A capabilities-based approach to obtaining a deeper understanding of information technology governance effectiveness: Evidence from IT steering committees84201010.1016/j.accinf.2010.07.013
Joshi, Anant [175]935Explaining IT governance disclosure through the constructs of IT governance maturity and IT strategic role71201310.1016/j.im.2017.09.003
Nazief, Bobby Achirul Awal [176]931Data to model the effect of awareness on the success of IT Governance implementation: A partial least squares structural equation modeling approach (PLS-SEM)22201910.1016/j.dib.2019.104333

4.2.2. Institutions and Most Active Journals

From the 380 articles, a total of 227 institutions were identified as contributors to IT governance research. Among the most productive are Antwerp Management School (Belgium), The University of Queensland and Queensland University of Technology (Australia), California State University (United States) and Universitas Indonesia (Indonesia). This prominence is largely explained by the track record of influential authors in IT governance: De Haes and van Grembergen [169] in Antwerp; Prasad and Green [177] in Queensland; Turel and Bart [58] in California; and Nazief et al. [168] in Jakarta (Indonesia).
It is also important to highlight not only the most active institutions but the most influential journals, as these act as the main vehicles for disseminating research. Table 2 lists the ten journals with the highest number of publications in our bibliographic corpus.
Interpretation of the distribution. Beyond the core outlets listed in Table 2, the remaining 303 of 380 publications (~79.7%) are spread across a wide variety of journals, which is indicative of a long-tail configuration. This pattern reflects the structural traits of IT governance scholarship: it is interdisciplinary (bridging information systems, management, accounting, public administration and sector-specific domains), specialised (with focused themes such as maturity models, board-level governance, compliance, digital transformation and cybersecurity interfaces), context-sensitive (responsive to regional and regulatory settings that encourage nationally oriented outlets), and methodologically diverse (from qualitative case studies to design-science, surveys and bibliometric mappings). Taken together, these features produce a small, recurrent core of high-visibility venues alongside an extended tail of specialised outlets where cumulative volume remains substantial despite low per-journal counts.
The most influential institutions have a strong presence in these outlets, which reinforces their relevance and their capacity to attract research talent. This close association between institutions and specialist journals has helped consolidate a scientific network around IT governance research.

4.2.3. Geographical Analysis

Of the 380 articles analysed, authors from 65 countries contributed to the literature. Table 3 reports the ten countries with the largest publication counts in IT governance. The United States leads with 58 papers, followed by Indonesia with 37 and Australia with 26.
Indonesia’s rapid growth is linked to government-led digitalisation and the research momentum at Universitas Indonesia. This is corroborated by studies such as Nazief et al., [168], which examine success factors for IT governance in the Indonesian public sector. In the case of the United States, leadership rests on consolidated regulatory frameworks and a highly diverse academic ecosystem. A clear example is Turel and Bart [58], which underscores the strategic importance of IT governance practices in the US corporate environment.
Overall, there is a clear correlation between the leading countries in IT governance research and the institutions and authors discussed above. The concentration of publications in the United States, Indonesia and Australia aligns with the profiles of authors such as Turel and Bart [58], Nazief et al. [168], Prasad and Green [177].
The ranking largely follows publication volume. European countries show fewer IT governance papers during the period. Some of the activity focuses on related topics such as digital transformation or regulatory compliance, while other parts are based on multinational collaborations that dilute the figures at the European level.

4.3. Driving Research Themes (RQ3)

To analyse the evolution of the field in depth and to identify its principal research themes, we used SciMAT and the bibliometric analysis derived from the selected articles. We employed the strategic diagram, a visualisation that positions themes by centrality and density in order to classify them by maturity and relevance within the field [26].
The horizontal axis (centrality) indicates the degree to which a theme interacts with others, that is, its relative importance within the field. The vertical axis (density) indicates the degree of internal development of a theme as measured by the strength of links among its constituent terms. Their intersection yields a four-quadrant map, interpreted as follows [26]:
  • Upper-right quadrant: Well-developed themes that are important to the field (the “motor themes”).
  • Upper-left quadrant: Well-developed but peripheral themes that are highly specialised.
  • Lower-left quadrant: Weakly developed and marginal themes that are either emerging or in decline.
  • Lower-right quadrant: Important themes that remain underdeveloped.
This diagram identifies the core research focus in IT governance and their maturity. Figure 3 displays the strategic map with the main themes. The analysis classifies resource allocation, industrial management, strategic alignment and board of directors as motor themes. In the basic and transversal quadrant, COBIT and developing economies act as structural axes with high centrality. In the emerging or declining area, we find information management, IT function and laws and legislation. In the isolated quadrant, resource dependence and relational mechanisms show scarce links to the rest of the themes.
Each research strand is accompanied by a thematic diagram (internal network map) that makes explicit its visual syntax: nodes represent author-keywords; node area is proportional to keyword frequency and the numeral inside each bubble reports that frequency. Edges encode keyword co-occurrence; edge thickness increases with co-occurrence strength (association-strength normalisation) and only links above the analysis threshold are displayed. The layout is force-directed (VOS), so shorter distances suggest stronger association. These maps reveal the conceptual configuration of each cluster and enable a precise analysis of the internal development trajectories of the motor themes [26].

4.3.1. Resource Allocation

Resource allocation holds a central position among the motor themes in IT governance. Figure 4 depicts the cluster with resource allocation as the core node linked to concepts such as risk management, stakeholder management and IT investment.
First, there is a clear relationship between resource allocation and risk management. Anomah et al. [178] show that risk–audit models are only effective when human and financial resources are assigned in proportion to each project’s risk profile. Jafarijoo and Joshi [44] likewise find that value creation depends on the capacity to redirect resources to close security gaps. As Elazhary et al. [53] note, this convergence intensifies under high market turbulence. Abass et al. [9] further confirm that integrating COBIT with COSO reduces audit risk provided sufficient resources are in place.
Second, the diagram links resource management with organisational systems. Begum et al. [36] show that the continuous reallocation of digital resources improves organisational resilience. Akbari et al. [11] report that the longevity of embedded applications depends on aligning investment decisions with system-architecture contingencies. In the same vein, Erasmus and Marnewick [179] propose an IT governance sub-framework for information-systems portfolios that places resource allocation at the core of project coordination.
Stakeholder management is another prominent aspect. Mutakyahwa and Marnetwick [155] show that projects gain legitimacy only when resources are distributed according to the expectations of internal and external actors. Khalid et al. [180] find that stakeholder-informed governance reduces project delays by synchronising resources and priorities. Denford et al. [181] add that decisions to centralise or decentralise IT resources depend on the stakeholders’ power profile. These studies confirm resource allocation as a mechanism for legitimacy and commitment.
Finally, the diagram shows a link between resource allocation and IT investment. Mulyana et al. [182] report that bank IT committees create value only when resources are channelled to ambidextrous initiatives. Fajar and Amri [55] find that COBIT mechanisms optimise the investment portfolio by identifying maturity gaps and prioritising high-impact projects. Levstek et al. [183] highlight that SMEs require more frugal allocation models to address sectoral and competitive constraints.
In sum, the resource-allocation motor theme operates as a conduit towards management and control practices. The analysis shows that governance effectiveness depends on balancing organisational needs, risk profiles and stakeholder demands while optimising technology investment by sector. This opens opportunities to refine allocation models that incorporate value, risk and legitimacy metrics.
As a comparative synthesis, the high centrality of the resource-allocation cluster and its intermediate density indicate a tripartite decision mechanism (value–risk–legitimacy) linking portfolio planning to control and coordination practices: in regulated and high-turbulence settings, prioritisation tilts towards closing security gaps and reducing audit risk (COBIT/COSO), whereas in SMEs and budget-constrained contexts frugal models dominate and sustain resilience through continuous reallocation; stakeholder management (power and expectations) operates as a feasibility condition shaping centralisation/decentralisation choices; and investment–architecture alignment conditions application longevity and the performance of ambidextrous initiatives. Taken together, this pattern accounts for its “motor theme” status and points to strengthening allocation models that integrate value, risk and legitimacy metrics with explicit reconfiguration thresholds.

4.3.2. Industrial Management

In Figure 5, Industrial Management emerges as the organising hub in the thematic network and maintains direct links with Corporate Governance, Transparency, Conceptual Frameworks and Organizational Performance.
These links indicate that decisions on technological investments are embedded in Corporate Governance structures that align IT with business objectives, secure accountability for outcomes and sustain value creation in complex Industry contexts [138,173,184]. Empirical evidence on IT governance maturity and performance shows that organisations with clear structures, well defined processes and stable metrics tend to achieve superior results in terms of Organizational Performance and competitive advantage at Industry level [38,185,186].
The relationship between Resource Dependency Theories, Transparency and External Environments suggests that the coordination of human and technological resources in shared service networks, public administrations and Inter Firm Relationships requires traceable decisions and visible accountability mechanisms for different stakeholder groups [139,187]. In the public sector, IT governance frameworks are used to articulate policies, processes and structures that ensure efficient use of resources, explicit risk management and consistent, transparent decision making, reinforcing the connection between Corporate Governance, Industrial Management and Organizational Performance [34,188,189]. Transparency thus operates as a strong coupling point between Resource Dependency Theories and the constraints imposed by External Environments.
Links with IT Centralization and with Design/Methodology/Approach are associated with observable improvements in performance when stable structures for planning, delivery and monitoring of services are in place, with particular salience in healthcare, government and other information-intensive sectors within Industry [38,46,67]. IT governance process capability, understood as the ability to design, implement and leverage decision making, planning, infrastructure modernisation, service delivery and monitoring processes, is consistently related to IT performance and, indirectly, to business performance [185]. Studies on IT governance maturity, project management and governance practices show that consolidated decision structures, control mechanisms and institutionalised metrics reinforce the relationship between Industrial Management, Corporate Governance and Organizational Performance [49,142,157,190].
In addition, Conceptual Frameworks and Design/Methodology/Approach materialise in maturity models for IT outsourcing and cloud service provision that operationalise indicators, trace performance and enable comparison of organisational units and providers across different segments of Industry [111,112]. These Conceptual Frameworks integrate standards and good practices to balance IT Centralization and outsourcing, define roles and responsibilities and manage Inter Firm Relationships in hybrid IT service ecosystems [173,187]. In this setting, Industrial Management acts as an interface between reference Conceptual Frameworks, organisational architecture and the strategic oversight associated with Corporate Governance.
At the connected periphery, Agency Theory, Content Analysis, Inter Firm Relationships, Organizational Culture, Human Resource Management and Industry emerge as dimensions that integrate politico administrative control structures and competence models for large scale digital transformation programmes [34,46,189]. The IT governance and Organizational Culture literature highlights the role of shared values, compliance ethics and senior management engagement in consolidating governance cultures that reinforce Transparency and strategic alignment [138,157,184]. Human Resource Management and Organizational Culture thus connect Conceptual Frameworks with External Environments by translating regulatory and sector-specific demands into internal structures and management practices aligned with Corporate Governance.
Comparative synthesis. Figure 5 shows that Industrial Management has high centrality and density, acting as an axis that connects Corporate Governance, Organizational Performance and the configuration of Industry. Transparency occupies a strong mediating position between Resource Dependency Theories and External Environments, ensuring that decisions on technological investments and structures are traceable and consistent with institutional constraints. The combination of IT Centralization and Design/Methodology/Approach is associated with verifiable improvements when governance structures and metrics are institutionalised, while Conceptual Frameworks link Organizational Culture with External Environments by translating regulatory and industry requirements into internal management practices. The connected periphery formed by Agency Theory, Content Analysis, Inter Firm Relationships, Organizational Culture, Human Resource Management and Industry indicates a maturation process based on mixed designs and longitudinal assessments. Taken together, these patterns reinforce the status of Industrial Management as a motor theme and prioritise multi context replication, effect size estimation and the systematic integration of time series metrics in comparative studies on IT governance and business performance.

4.3.3. Strategic Alignment

In Figure 6 the Strategic Alignment node structures the thematic network and acts as the central hub connecting Decision Making, Best Practices, IT Performance, IT Outsourcing, Cloud Computing, Supply Chain, Small And Medium Enterprise, Balanced Scorecard and Business Process.
This configuration indicates that alignment between business and IT is realised through governance mechanisms that steer decision quality the systematic use of Best Practices and the achievement of measurable operational and financial outcomes [144,185]. Empirical alignment models show that Strategic Alignment mediates the impact of IT governance mechanisms on organisational performance and remains a top management priority for achieving Organizational Goals [191].
The strong linkage between Decision Making and Strategic Alignment reflects that governance structures clear allocation of decision rights and economic discipline (for example chargeback schemes and cost attribution), reduce informational ambiguity and legitimise IT investment choices [66]. The equally strong connection between Decision Making and Best Practices underlines that the systematic adoption of frameworks such as COBIT and international standards guides the selection of IT governance mechanisms and enables their effectiveness to be assessed in terms of both IT Performance and business outcomes [93,139,192]. In this setting governance maturity and the structured use of Best Practices translate into improvements in IT Performance and provide a stable foundation for Strategic Alignment [148,185].
The links between Strategic Alignment Balanced Scorecard and Business Process show that alignment relies on formal measurement systems that translate strategy into verifiable objectives associated with critical processes [93,116]. Using the Balanced Scorecard as a reference framework facilitates the integration of financial customer internal process and learning indicators with IT metrics thus enabling organisations to monitor how IT governance decisions are reflected in the execution of Business Process [192,193]. Maturity assessments in universities and public organisations confirm that the formalisation of shared indicators and the joint involvement of business and IT in defining objectives support Strategic Alignment and improve performance [154,194].
Figure 6 also highlights a close relationship between Strategic Alignment Supply Chain and Small And Medium Enterprise. The strong linkage between Supply Chain and Small And Medium Enterprise indicates that alignment adopts specific characteristics when manufacturing SMEs depend on logistics and sourcing networks in which information and IT flows are critical [51,195]. Integration between IT governance frameworks and supply chain reference models allows SCOR processes to be mapped to COBIT objectives and controls, thereby providing end-to-end traceability auditable metrics and risk mitigation mechanisms along the Supply Chain [196]. In this context SMEs that prioritise clear strategic objectives and stable metrics achieve improvements in IT Performance and process outcomes under strong resource constraints [51].
The nodes IT Outsourcing and Cloud Computing indicate that Strategic Alignment requires the redesign of governance structures to manage vendor risk coordinate financial and information competences and ensure coherence between service-level agreements and corporate metrics [112,177]. Studies on the alignment between internal and external IT governance show that suitable combinations of hierarchy market and network-based arrangements in outsourcing contracts are associated with process synergies, market growth and innovation [59,197]. Adapting outsourcing maturity models to the external provision of cloud-based services makes it possible to preserve convergence between IT Strategies and business goals when internal infrastructures and Cloud Computing services coexist in hybrid environments [177].
At the periphery of Figure 6 the nodes IT Organizations, IS Management and Shadow System become salient. The notable linkage between IT Organizations and IS Management suggests that the organisational configuration of the IT function and the capabilities for managing information systems largely determine the effectiveness of alignment and the quality of the supported Business Process [198,199]. The presence of Shadow System indicates that the emergence of shadow systems is associated with distant business–IT relationships, time and cost pressures and perceptions of risk that can shift power balances between business units and central IT [200]. From a Strategic Alignment perspective managing these informal systems is essential to prevent them from eroding the coherence of IT Strategies and the formal governance framework.
Comparative synthesis. Figure 6 shows that Strategic Alignment exhibits high centrality and articulates a set of strong ties with Decision Making, Best Practices, Balanced Scorecard, Business Process, Supply Chain and Small And Medium Enterprise. Economic and organisational discipline in Decision Making together with the adoption of Best Practices legitimise investment decisions and reduce ambiguity while Balanced Scorecard-based measurement systems connect alignment with verifiable outcomes in Business Process and IT Performance. In Supply Chain and Small And Medium Enterprise contexts, alignment takes specific forms that combine logistics reference models and IT governance frameworks to preserve strategic coherence under resource constraints. The links between IT Outsourcing, Cloud Computing, IT Organizations and IS Management emphasise that organisational architecture and sourcing choices condition the ability to maintain aligned IT Strategies in distributed environments where Shadow System also need to be governed. Taken together this pattern reinforces the status of Strategic Alignment as a motor theme and points to the need for longitudinal studies that estimate effect sizes between governance mechanisms, alignment and process and performance outcomes across sectors and organisational sizes.

4.3.4. Boards of Directors

In Figure 7 the Board of Directors node appears as the central hub of the cluster and connects to IT Governance Mechanisms, Organizational Performance, Financial Performance, Resource Based View, IT Competence, CIO, Organization, Organisational and Environmental Dynamism.
This configuration places board oversight at the core of how IT capabilities organisational design and firm outcomes are coordinated and supports the view that board-level IT governance is a direct driver of value creation [144,201,202]. From a Strategic Choice perspective, boards decide on the intensity of their involvement according to the role of IT perceived risk and institutional pressures, which shapes how IT Governance Mechanisms translate into Organizational Performance and Financial Performance [58,203].
The association between Board of Directors and IT Governance Mechanisms indicates that effective oversight depends on explicit structures such as IT committees, board charters, formal policies and monitoring metrics that secure investment discipline and decision traceability under turbulent conditions [204,205,206]. Longitudinal evidence in Financial Services shows that operational IT failures and reputational crises trigger adjustments in these mechanisms through strengthened board oversight, reconsideration of technology risks and reprioritisation of the IT project portfolio [146]. In Mena Countries and other emerging markets, corporate governance codes have increasingly embedded board responsibility for IT Governance and cybersecurity, thereby extending the remit of the Board of Directors beyond compliance to proactive risk and value management [207,208].
The strong linkage between IT Competence and CIO highlights the joint role of board-level digital competence and executive technology leadership. Studies show that the presence of directors with IT backgrounds, independent directors with technological expertise and a CIO with strong business competence improves the quality of Information Use at board level and enables substantive discussions on digital risks and opportunities [209,210,211]. Capability-oriented models further indicate that the combination of Board IT Competence and IT operating capabilities enhances the contribution of IT to Organizational Performance and shapes the relationship between IT Governance and Financial Performance [212,213,214].
The close proximity of Organization and Organisational suggests that organisational structure and organisational attributes condition the effectiveness of board oversight. The way roles are distributed between the Director, board committees and the top management team determines the extent to which Board of Directors decisions are transformed into verifiable processes and performance outcomes [153,215]. When the Organization incorporates dedicated IT Governance bodies, transversal coordination mechanisms and clear accountability procedures, the contribution of IT to organisational performance becomes more stable and visible [123,144]. This stream of work also shows that direct board involvement in setting IT principles and metrics reinforces the alignment between business objectives and technology decisions.
The Resource Based View node provides the theoretical grounding for the contribution of the Board of Directors to the accumulation of valuable rare and hard-to-imitate capabilities. Empirical studies indicate that board-driven IT Governance Mechanisms strengthen IT-enabled dynamic capabilities, process agility and innovation, which in turn improve Organizational Performance and Financial Performance [56,202,212]. The presence of Environmental Dynamism as a connected node shows that technological regulatory and competitive turbulence acts as a key contingency that forces boards to adjust oversight intensity review frequency and the mix of formal and informal controls [57,216]. In highly dynamic environments the literature recommends increasing board involvement in IT Governance to sustain strategic responsiveness while preserving financial discipline [58,215].
Finally, research in Financial Services and in firms from different industries examining the relationship between board-level IT governance Organizational Performance and earnings management practices suggests that board IT competence and well-specified IT Governance Mechanisms are associated with stronger operational indicators, although their impact on market-based metrics or earnings management is more nuanced [146,148,208]. These findings reinforce the idea that the Strategic Choice decisions of the Board of Directors regarding composition IT experience and oversight design have direct consequences for the organisation’s ability to leverage technology investments.
Comparative synthesis. Figure 7 shows that Board of Directors occupies a central position and is tightly connected with IT Governance Mechanisms, IT Competence, CIO, Resource Based View, Organizational Performance, Financial Performance and Environmental Dynamism. The strong linkage between IT Competence and CIO underlines that the combination of technology leadership and board-level digital literacy is critical for turning IT governance decisions into sustainable outcomes. The proximity between Organization and Organisational indicates that structural configuration acts as the execution channel that stabilises the effect of board decisions on performance. The simultaneous connection of Board of Directors with Organizational Performance and Environmental Dynamism reveals that the impact of IT governance on results depends both on capability accumulation grounded in the Resource Based View and on the capacity to adapt oversight to changing contexts including Mena Countries and Financial Services settings. Taken together the cluster behaves as a motor theme and points to the need for longitudinal studies that estimate Board IT Competence thresholds and examine how Strategic Choice decisions and intensive Information Use moderate the relationship between IT Governance Mechanisms and the financial and non-financial outcomes of the organisation.

4.4. Emerging Research Themes (RQ4)

Following the analysis of the motor themes identified by SciMAT in the previous section, this subsection addresses the lower-left quadrant of Figure 3, which groups the main emerging themes in the field. These are Information Management, IT Function and Laws and Legislation. The next subsections analyse each of these emerging themes.

4.4.1. Information Management

In Figure 8 Information Management appears as the central node of a low-density cluster that takes shape as an emerging theme organised around the identification of Critical Success Factor, the use of Questionnaire Survey and the integration of Computer Networks and Communication Technologies into information management processes.
The strong linkage between Information Management and Questionnaire Survey suggests that a significant part of this cluster is concerned with operationalising constructs and quantitatively measuring critical success factors for IT governance and information-related initiatives in complex organisations [217,218,219]. The equally intense connection with Computer Networks indicates that the quality of Information Management is interpreted in close relation to network architecture and communication infrastructures that sustain data and knowledge flows in practice, as shown in work on architectural competency, digital infrastructures and inter-organisational governance arrangements [184,220,221].
The relationship between Critical Success Factor and Questionnaire Survey points to a systematic use of critical-success-factor approaches that combine theoretical synthesis and empirical validation through structured questionnaires. These studies identify dimensions such as organisational culture, top-management support, technological capabilities and user competences as Critical Success Factors for the successful implementation of IT governance and information-intensive initiatives in public and service-oriented organisations [79,222]. The presence of the Knowledge Management node reinforces this interpretation and underlines that Information Management is conceived not only as the technical handling of data but also as a process of creating, integrating and applying distributed knowledge across networks of people, organisational units and systems through appropriate governance mechanisms [220,221].
The Grounded Theory Method and Critical Realism nodes position this cluster in a hybrid methodological space where exploratory qualitative designs coexist with survey-based studies. The notable association between Critical Realism and Information Management suggests that part of the literature draws on this ontological stance to explain how technological structures, organisational settings and user practices generate causal mechanisms that shape information governance outcomes [223]. The use of grounded, inductive case studies and framework-design approaches, often complemented with data collected through Questionnaire Survey, enables the articulation of conceptual models that emerge from fieldwork and are subsequently refined through quantitative analysis, consolidating more robust sets of Critical Success Factors and governance mechanisms [222,224].
As a comparative synthesis, the joint presence of Communication Technologies and Computer Networks alongside Critical Success Factor, Questionnaire Survey, Knowledge Management, Grounded Theory Method and Critical Realism shows that this cluster brings together three complementary dimensions of Information Management: an infrastructural view that emphasises communication networks and distributed architectures as enabling conditions for information and knowledge processes; a governance-oriented view that focuses on Critical Success Factors identified and validated through Questionnaire Survey; and a methodological–ontological view in which Grounded Theory Method and Critical Realism provide lenses to interpret how organisational structures and user practices generate the observed outcomes of Information Management and Knowledge Management initiatives.

4.4.2. IT Function

In Figure 9 the IT Function node appears connected only to Governance Approach, forming a very low-density cluster that can be classified as an emerging theme.
The literature suggests that the way the IT Function is conceived and organised conditions the chosen Governance Approach from the design of governance mechanisms to the maturity level ultimately achieved [66,169]. Empirical studies show that the responsibilities assigned to the IT Function together with the decision structure and the allocation of tasks over infrastructure technology and performance management directly shape the Governance Approach and its ability to maintain business–IT alignment and process improvement [225,226]. Recent COBIT-based assessments reinforce this view by evidencing that process maturity and control quality depend on how the IT Function assumes its role within the broader IT governance system [71,108].
Comparative synthesis. Figure 9 shows that IT Function and Governance Approach constitute a small core suggesting an early-stage research area focused on how the structure and competences of the IT Function condition the design and effectiveness of IT governance. The low density and concentration in only two nodes indicate that this is an emerging theme with potential to underpin future comparative studies linking IT Function configurations governance maturity levels and organisational outcomes across different sectoral and regulatory contexts.

4.4.3. Laws and Legislation

In Figure 10 the Laws and Legislation node is connected only to Information Security, forming a very low-density cluster that can be classified as an emerging theme.
The literature indicates that legal frameworks such as the Sarbanes–Oxley Act (SOX) and other regulatory instruments have made IT governance and Information Security a regulatory imperative, particularly for SMEs and financial institutions [104,227]. These contributions show that regulatory pressure drives the adoption of frameworks such as COBIT, maturity models and regular audits as mechanisms to ensure decision traceability, legal compliance and reduction in security threats [62,69,72]. Within this perspective, Laws and Legislation operates as an external catalyst that forces organisations to formalise governance structures and to strengthen Information Security practices beyond purely technical solutions.
Comparative synthesis. Figure 10 shows that Laws and Legislation and Information Security constitute a small core that reflects an early-stage research area focused on the impact of legal frameworks on IT governance design and security risk management. The low density of the cluster and the concentration in just two nodes support its classification as an emerging theme mainly concerned with how statutory requirements and legislation-driven audits translate into incremental improvements in IT Governance maturity and the mitigation of Information Security threats in banks, SMEs and other highly regulated sectors.

4.5. Thematic Groups (RQ5)

This section identifies and describes the principal thematic lines that currently structure research on IT governance. Following the methodology described above, a VOSviewer co-occurrence analysis of keywords was conducted on the final sample of 380 articles. The process generated the network shown in Figure 11, in which seven clusters group the field’s most relevant concepts.
These clusters form an interconnected network of key concepts related to IT governance and reveal consolidated knowledge cores. The following sections examine each cluster in depth to address this research question.

4.5.1. Cluster 1: IT Investments

This cluster is dominated by IT investment and its direct relationship with IT governance. Unlike purely operational management, IT governance directs and controls technology with a strategic orientation that spans objective alignment, value creation and risk management [138,139]. Translating these principles into practice requires close examination of critical factors, impact metrics and methodological frameworks tailored to context.
Early studies in Indonesian public organisations show that clear policies and systematic monitoring and evaluation processes are decisive for sustaining the investment life cycle from planning through maintenance [34,35]. More recent research in Indian state-owned enterprises underscores the role of IT strategy, performance-measurement systems and efficient resource allocation as levers of success [36]. Sociocultural factors such as uncertainty avoidance and individualism also shape implementation structures and processes [37].
In terms of outcomes, empirical evidence points to financial and operational improvements when investments are governed with good practice. Lunardi et al. [45] report significant profitability gains in the year following the adoption of formal IT governance frameworks, while Pang [46] observes that institutionalising the CIO role boosts the positive returns of IT expenditure in the US public sector. At the micro-process level, Jafarijoo and Joshi [44] show that value creation in cloud computing depends on relational mechanisms between IT and the business. Similarly, Trujillo-Lambert et al. [7] and Turedi and Zhu [47] link participatory decision structures such as senior-management commitment and structured decision rights with improvements in organisational performance.
To operationalise these findings, the literature proposes analytical tools and integrated frameworks. The Viable System Model (VSM) enables dynamic alignment across corporate subsystems [98]. Real Options Analysis helps to value investments under uncertainty [99,100]. Specialised tools such as CAT 5 support the measurement of COBIT 5 maturity [101]. Metamodels that combine good practices from VAL IT, ITIL and PMBOK expand process coverage and reduce overlap [102,103].
Despite these advances, there is no universal approach. Effectiveness varies by sector, size, technological maturity and organisational culture. Evidence from Ghanaian banking [140], Colombian SMEs and other contexts [38,39] confirms the need to adapt practices to local contingencies and to adopt contingent perspectives [41,42].
In sum, research in this cluster shows that IT investments create sustainable value only when they rest on structured, rational and contextualised governance. This implies three implications for the cluster:
  • Prioritise projects by value and risk.
  • Design decision structures that embed the business.
  • Select framework combinations that match organisational maturity and sector.

4.5.2. Cluster 2: Organizational Performance and Board of Directors

This cluster examines how IT governance articulated through the board of directors drives organisational efficiency and performance. It starts from the premise that IT governance not only coordinates technological resources but also establishes direction and control mechanisms that maximise value creation and competitive resilience [58,202]. Four interrelated strands are considered:
(1)
Impact of governance on performance.
A large body of work reports direct and indirect links between IT governance and financial, operational and innovation performance. Ali et al. [52] and Wu et al. [144] show that innovation and strategic alignment mediate positive effects on outcomes. Governance enables information-based decision making and process optimisation. In emerging contexts such as Saudi and Palestinian firms returns on assets (ROA) and equity (ROE) improve when top management possesses technological knowledge [146,208,228]. Sectoral evidence from hospitals with electronic clinics and from firms migrating to the cloud indicates gains in revenue and productivity where governance mechanisms are rigorous [148,149,177]. These findings align with research that positions IT-enabled dynamic capabilities and organisational agility as causal pathways between governance and performance especially in turbulent environments [55,147,170,212].
(2)
Technological expertise on the board.
Board composition and competencies are decisive for effective technological oversight. Studies such as Al-Sartawi [207] and Benaroch and Chernobai [205] show that IT expertise on the board mitigates cybersecurity risks and accelerates governance improvements after operational failures by channelling market responses through CIO turnover and strengthened managerial capabilities. Jewer and McKay [203,209] find that direct metrics of board digital competence better predict governance effectiveness than indirect indicators. Work in Ireland and Malaysia reveals divergences in how CIOs perceive IT issues [210,211].
Historically, Nolan and McFarlan [206] argued that board-level IT committees reduce overruns and create competitive advantages. Recent studies link oversight, information management and continuous auditing with improved business-process performance [229,230]
(3)
Governance mechanisms and practices.
This strand covers concrete practices that operationalise board oversight. Ako-Nai and Singh [204] report that boards in listed firms manage IT budgets effectively yet often delegate operational supervision to specialised committees, which creates gaps in the monitoring of outsourced IT arrangements. Empirical work by Bart and Turel [231,232] shows that the quantity and quality of IT-related questions in board meetings correlate positively with organisational performance. Not all issues carry equal weight, however, which exposes a gap between perceived importance and actual attention. Other studies examine specific mechanisms such as IT refactoring or ambidextrous governance provided the CIO brings strong business competencies [182,233]. Persistent gaps between theory and practice remain across structure, processes and people, with senior-management awareness flagged as a critical challenge [234,235]. Supporting these practices, numerous scales and measurement models have been validated to capture governance maturity across rights, accountability, strategy, acquisition and risk management. Each component affects performance differently and gives boards tangible indicators to prioritise investments and monitor IT-derived value [191,236].
(4)
Mediating and moderating factors.
Given the complexity of organisational outcomes, governance rarely acts linearly. IT-enabled innovation and dynamic capabilities fully mediate the relationship between governance and agility [52,53]. Governance also moderates the influence of strategic alignment on performance in proactive firms [54]. Business agility, operational capabilities and outsourcing strategies serve as partial mediators of effects on organisational performance [201,213,215,237]. Limiting conditions include high environmental dynamism, authoritarian leadership styles and decentralised governance schemes [56,57,58]. Alignment between internal and external governance mechanisms sets differentiated trajectories: hierarchical models optimise operational efficiency, market-based models foster growth and network models promote innovation [59,60].
In conclusion this cluster shows that efficiency and performance improve when IT governance is embedded in board agendas through digital competencies, specialised oversight structures and value metrics. Three areas merit further inquiry:
  • International standardisation of board-level technological-competence metrics.
  • Adaptation of governance mechanisms to highly regulated or highly digitalised sectors.
  • Longitudinal exploration of how CIO leadership styles and board dynamics shape outcomes in unstable environments.

4.5.3. Cluster 3: Governance Maturity

This cluster centres on the maturity of IT governance. Maturity is understood as the degree of development, standardisation and effectiveness of the mechanisms that direct and control an organisation’s technological resources. Building on early conceptual frameworks such as those by De Haes and van Grembergen [169] and Simonsson et al. [186], contemporary work adopts a multidimensional view that links maturity with strategic alignment, value creation and risk mitigation [61,238]. Progress therefore requires rigorous diagnostics, sensitivity to contextual factors and the progressive implementation of continuous-improvement practices.
Measurement methodologies rely chiefly on COBIT and its extensions. Empirical studies in banks and government agencies show that most organisations sit at intermediate levels (around level 3). Processes are defined yet weaknesses persist in automation, objectives and formal policies [104,105]. Tools such as CAT5 support self-assessment and evidence-based improvement plans [101]. Recent research combines “hard” indicators (processes and controls) with “soft” dimensions (perception and culture) to deliver fuller diagnostics [61,72]. Public libraries, government offices and academic networks frequently operate between levels 2 and 3 and retain substantial gaps with respect to optimised levels [106,107,108,109].
Drivers and barriers are heterogeneous. At organisational level, independent audit, explicit IT principles and policies, and leadership involvement stand out as enablers [62,63]. Cultural variables such as initiative or hierarchical styles shape perceptions of maturity, while funding constraints and weak executive participation act as inhibitors [64,65]. Comparative studies highlight differences by ownership type (public or private), national development level and the degree of IT–business integration [66,68]. Transparency and knowledge management further strengthen maturity by improving accountability and credibility with stakeholders [71].
Maturity is positively associated with multiple organisational outcomes. From level 2 onwards, governance has a significant effect on business–IT alignment, service quality and financial performance [186]. Higher maturity correlates with greater external transparency, fewer security incidents and stronger competitiveness [175,239]. Recent work also points to gains in institutional responsiveness and optimisation of budgetary control supported by periodic audits and continuous improvement [62].
Sectoral analyses mirror these patterns. In banking, private institutions display stronger strategic alignment than public ones, where gaps in automation and policy remain [104]. In higher education, frameworks grounded in ISO 20000, UNE-ISO/IEC 38500 and ITIL facilitate transitions to outsourced and cloud-based services [110,112]. Public bodies such as libraries and civil registries show initial maturity levels and need tailored guidance for internal process enhancement, while studies in Korea and Ecuador underline the decisive influence of national culture and resource availability [71,240]. These variations confirm that tailoring maturity frameworks to specific realities is essential for accurate diagnosis and improvement strategies.
In sum, IT governance maturity is a robust predictor of organisational value. Its development, however, depends on reliable metrics, committed leadership and context awareness. Open research fronts include the standardisation of integrative measurement tools, longitudinal analyses of maturity trajectories and a deeper understanding of how cultural and regulatory factors shape optimal improvement routes.

4.5.4. Cluster 4: Corporate Governance and Organisational Effectiveness

This cluster brings together concepts such as corporate governance and IT alignment. The literature examines how the integration of corporate governance and IT governance underpins strategic alignment, value creation and risk management. Recent studies indicate that technological governance has become an essential component of corporate direction, since it introduces formal control mechanisms that reinforce competitiveness and organisational resilience [48,73,74,116,150].
First, empirical evidence suggests that governance fosters coherence between corporate objectives and technological capabilities regardless of firm size or sector [74,150]. Integrative models show that different alignment modes—functional, structural and temporal—create value through competition, flexibility and oversight [151,152]. Social alignment is reinforced by senior-management support, IT representation on the executive committee and joint planning, which strengthens the internal credibility of the IT function [51,153].
Second, the literature converges on the view that international governance frameworks and standards such as COSO [9], COBIT [10] and UNE- UNE-ISO/IEC 38500 [5] promote sound corporate-governance practice and facilitate regulatory compliance [9,114]. For SMEs, models that combine Balanced Scorecard with cultural and demographic variables have been proposed to monitor organisational performance [115,116]. Comparative studies also reveal significant jurisdictional variation in governance capacity, calling for contextualised implementation strategies [75,117]. The literature further warns of competence gaps among directors who often lack awareness of IT-control risks, pointing to the need for board-level capability development [118,119].
Third, governance effects vary across sectors and organisational settings. Evidence from banking and large firms shows that integrating regulatory frameworks strengthens control effectiveness and digital-content management [9,241]. In contrast, in manufacturing SMEs and public universities, environmental uncertainty and the strategic orientation of IT condition technological performance [51,76,115]. Normalisation, centralisation and IT-department size also influence how governance and management tasks are allocated [77,242]. In inter-organisational settings, value is realised when governance incorporates stakeholder participation, although standards such as UNE-ISO/IEC 38500 [5] may require adjustments to gain effectiveness [243,244].
Fourth and finally, the organisational pay-offs of corporate IT governance appear across business continuity, transparency, financial performance and responsiveness, with IT governance acting as a critical mediator between traditional corporate-governance mechanisms and these dimensions [73,74].
In conclusion, despite conceptual advances, several research challenges remain open, including the international standardisation of board-level technological-competence metrics, the assessment of governance impacts in unstable environments and the adaptation of frameworks to highly digitalised sectors.

4.5.5. Cluster 5: Information Systems and Relational Mechanisms

This cluster centres on Information Systems (ISs) and their connections with knowledge management and relational mechanisms. The literature starts from the premise that ISs are the vehicle through which IT governance is enacted in practice. Their value lies not only in technological infrastructure but also in relational mechanisms such as IT committees, interfunctional communication processes and knowledge sharing. These mechanisms circulate around ISs to align strategies, manage risk and mobilise organisational capabilities [86,91]. Overall, the cluster emphasises social interaction and learning as engines of value creation along four strands: IS-based governance mechanisms, knowledge and learning capabilities, adoption factors, and impacts on organisational outcomes.
(1)
IS-based governance mechanisms and frameworks.
Empirical studies by Al-Sa’eed et al. [120] and Bianchi et al. [121] show that COBIT domains exert differentiated effects on resources and information criteria, while the combination of strategic committees, IT leadership and joint planning enhances effectiveness in universities and large corporations. In outsourcing contexts, governance shifts from an intra-organisational to an inter-organisational logic, requiring flexible contracts and shared metrics [122].
Hybrid tools such as STOPE (strategy, technology, organisation, people, environment) and GRC (governance, risk, compliance), which integrate artificial intelligence with knowledge management, support the diagnosis of strengths, weaknesses and adherence to standards such as UNE-ISO/IEC 38500 [5] with accuracy comparable to human assessment [124,125]. These advances illustrate the trend towards the digitalisation of governance, equipping it with analytics and automation.
(2)
Knowledge and learning capabilities.
A distinctive feature here is absorptive capacity (ACAP-ITG). Senior management must cultivate prior knowledge, communication networks and an open climate to internalise and exploit governance good practice [87,245]. Research in healthcare corroborates that knowledge sharing improves process efficiency and risk management [246]. In parallel, Gottschalk and Karlsen [89] show that internal collaboration strengthens all pillars of governance, while organisational learning helps bridge the theory–practice gap observed in many implementations [247].
(3)
Adoption and assimilation factors.
The literature distinguishes organisational factors (top-management support, organisational culture, infrastructure), technological factors (technological compatibility, ease of use) and environmental factors (regulatory pressure and competition). In SMEs, relational mechanisms—ad hoc meetings and trust networks—outperform formal controls; in large firms, a combination of structural and process mechanisms is crucial to manage complexity [80,81].
Other work shows that CEO–CIO distance and infrastructure modularity determine the degree of business–IT alignment [82,83]. These findings reinforce a contingent view of governance: there is no single best way, but rather context-appropriate configurations by size, strategy and setting.
(4)
Impact and organisational outcomes.
Empirical evidence links IS-anchored governance with operational, financial and strategic improvements. At project level, alignment between IS architecture and governance extends application longevity and maximises ERP pay-off [11,90]. At corporate level, IT steering committees, senior-management involvement and performance-measurement systems raise profitability and user satisfaction [88,123].
Relational governance also enhances flexibility and agility—critical components for responding to turbulence and exploiting digital opportunities [84]. ISs thus act as orchestration platforms that channel knowledge, coordinate actors and translate technology investments into competitive advantage.
In conclusion, this cluster shows that the value of IT governance emerges at the intersection of technology and social relations. ISs provide the infrastructure, but relational mechanisms and learning capabilities are what leverage that infrastructure to generate value. Nonetheless, several gaps remain:
  • The longitudinal impact of AI and predictive analytics.
  • How SMEs and other organisations can scale relational practices without incurring administrative overloads.
  • The standardisation of metrics to assess governance quality.

4.5.6. Cluster 6: Organisational Impact, Strategic Alignment and Risk Management

This sixth cluster brings together multiple terms that explore how IT governance generates organisational outcomes, aligns technology strategy with business strategy, and controls the risks associated with digitalisation. Its perspective can be organised into four broad areas:
(1)
The organisational impact of IT governance.
The positive effects of IT governance implementation are reflected in financial performance, operational efficiency and innovation. Empirical studies in Saudi educational institutions show that CIO authority, departmental IT capability and risk management explain a significant share of overall performance [248]. Similar results appear in Asian universities, where IT governance acts as a catalyst for competitive advantage [142].
In the Mexican public sector, clear project policies, strategic communication and systematic evaluation increase municipal innovation via the acquisition, assimilation and exploitation of knowledge [249]. At firm level, CRM diffusion in banking and efficiency gains in SMEs indicate that decision-execution mechanisms are decisive in translating IT governance into profitability and productivity [195,250,251,252]. Clear and robust interfunctional relationships—such as the CIO–CFO dyad—also improve strategic alignment and individual effectiveness in the public sector [157,181].
(2)
Frameworks and implementation mechanisms.
COBIT remains the dominant reference for articulating controls and mitigating technology risk. Studies in technical universities confirm stronger structural mechanisms than relational or process mechanisms, contingent on internal and external factors [253]. In parallel, maturity in IT risk management (ITRM) correlates across its dimensions, suggesting that progress in one area—such as business continuity—drives transversal improvement [167,254]. The literature also introduces ambidextrous approaches that balance control and flexibility, as well as intelligent decision-support systems capable of simultaneously detecting efficiency drifts and unapproved IT use (also known as shadow IT) in public agencies [255,256]. Finally, analytical tools such as G-RAM link software-vulnerability assessment with strategic objectives, turning risk management into a value-generating process [257,258].
(3)
Risk management and audit.
Integrated risk management and audit processes under IT governance constitute a critical element in this cluster. Empirical work shows that COBIT-based e-internal audit substantially reduces audit risk, with monitoring and evaluation dimensions exerting the strongest influence [259]. Studies of Jordanian firms indicate that audit quality shapes the relationship between IT governance and risk, pointing to the need for specialised competencies within audit teams [260,261]. More broadly, objective risk models—built on inverse correlations between ROI and perceived risk—show that quantitative measurement supports better investment decisions [178,184,262].
(4)
Strategic alignment and stakeholder management.
Business–IT alignment is conceived as a relational process in which stakeholder management bridges strategy and technology. Research on global projects shows that market turbulence intensifies the need to govern stakeholder relationships to sustain success [155].
Within technical universities, mere adoption of reference frameworks is insufficient; executives must understand the strategic value of IT and foster a collaborative culture [257]. The literature also highlights the importance of communication mechanisms—meetings and dashboards—over rigid structures, especially in public projects where citizen participation is critical [263,264]. Additional studies confirm that commitment to COBIT principles fully mediates the relationship between governance mechanisms and strategic alignment; adopting isolated controls is inadequate without a systemic vision backed by top management [216,265].
In sum, the cluster converges on a common insight: IT governance drives organisational performance when formal frameworks, relational management and risk practices are integrated. Nonetheless, several areas merit closer attention:
  • Standardised metrics to assess audit quality.
  • Longitudinal studies tracking the joint trajectory of risk-maturity and organisational performance.
  • Deeper understanding of re-centralisation dynamics and unapproved IT use in highly regulated environments.

4.5.7. Cluster 7: IT Governance Frameworks

In this final cluster, the literature shows that the evolution of IT governance has proceeded in tandem with the consolidation of standardised reference frameworks such as COBIT, UNE-ISO/IEC 38500, NIST and ITIL, among others. These frameworks provide a common language, capability metrics and pathways for continuous improvement [93,266]. They are conceived as instruments to ensure that technological resources contribute to strategic objectives and value creation, yet their effective application requires contextual adaptation and an understanding of alignment and control mechanisms.
Sectoral applications converge on the versatility of these frameworks. In banking, empirical studies by Adrian and Wang [267] and Al-Qatanani [8] show that COBIT-based capability assessments place most processes between levels 2 and 3, with notable gaps to level 5, and that the monitoring-and-evaluation domain exerts a strong influence on institutional performance. In Spanish universities, projects display high alignment rates with governance principles, while local governments have prioritised processes and resources using COBIT 2019 in line with organisational capacity [92,268]. Research in telecommunications, insurance and smart-campus settings likewise evidences COBIT’s utility for detecting gaps and designing tailored improvement plans [94,269].
Beyond cross-sector adoption, the literature emphasises strategic alignment and process optimisation as core benefits. Mapping business imperatives derived from the Business Model Canvas to COBIT 5 processes supports coherence between corporate goals and technological capabilities [270]. Other work proposes integrating SCOR and COBIT via ArchiMate to link the supply chain with the IT architecture [196]. Studies by Hamid and Sulaiman [271] and Maseko and Marx [272] establish COBIT benchmarking for systems development, revealing recurrent gaps in control and risk requirements, while also demonstrating the capacity of frameworks to satisfy regulatory expectations under regimes such as King III.
Framework comparison and integration constitute another key strand. Models grounded in UTAUT explain ITIL adoption and reveal functional overlaps with COBIT and ISO 20000/27000 [127,128]. Pairing ITIL with EFQM compensates measurement shortfalls in the former, while hybrid metamodels support design decisions in complex organisations [129,131]. More recent work explores emerging frameworks such as IT4IT and evaluates the incorporation of environmental-sustainability criteria, noting that COBIT 5 already covers more environmental topics than its predecessors [132,134].
In parallel, the literature develops decision-support tools: AHP techniques and genetic algorithms aid improvement prioritisation, while COBIT 2019 starter kits help SMEs implement governance, albeit with challenges of methodological rigidity [96,273].
Finally, authors identify people-, process- and technology-oriented critical success factors that condition framework outcomes. Privacy and data protection emerge as priority enablers in IT environments [274], while information-flow design in COBIT 2019 enables more accurate early-stage decisions [95]. Empirical studies further validate COBIT’s consistency as a predictive model in audits and encourage deeper measurement of the value generated by framework implementation [136,137].
In conclusion, this cluster evidences that governance frameworks are indispensable for professionalising IT management, but their effectiveness depends on contextual tailoring, integration with complementary models and careful socio-technical considerations. It also highlights several gaps worth addressing:
  • Evolution towards more flexible hybrid models.
  • Sustainability metrics.
  • Governance mechanisms that incorporate advanced analytics and continuous learning.

4.6. Discussion

The results reported in Section 4.1, Section 4.2, Section 4.3, Section 4.4 and Section 4.5 reveal a set of research gaps—areas that have been comparatively underexplored owing to their recent emergence or limited development.

4.6.1. Comparison Between SciMAT and VOSviewer

In this study VOSviewer displays a keyword network in which IT governance topics are grouped into well-defined clusters while SciMAT positions the same topics in the strategic diagram (Figure 3) according to their centrality and density. Comparing both tools confirms a coherent thematic structure in which the VOSviewer maps (Figure 11) show central clusters aligned with the motor themes identified by SciMAT and peripheral nodes associated with emerging themes.
For the driving themes SciMAT classifies resource allocation, industrial management, strategic alignment and board of directors as consolidated axes, and VOSviewer depicts them as dense clusters connected with terms related to governance mechanisms, organisational performance and board structures. Resource allocation and industrial management concentrate co-occurrences around the use of resources and sectoral configuration, whereas strategic alignment and board of directors group items linked to business–IT alignment and board level oversight. This convergence indicates that the field has established a stable research core around resource allocation, industrial management, strategic alignment and the role of the board in IT governance.
For the emerging themes SciMAT places information management, IT function and laws and legislation in low-density areas and VOSviewer represents them as small clusters or peripheral nodes connected with critical success factors, networks and information security. Information management is mainly associated with questionnaires, critical factors and knowledge management IT function with governance approach and the organisational configuration of the IT Function and laws and legislation with regulatory aspects and Information Security. The agreement between SciMAT and VOSviewer in these patterns supports the interpretation of these three topics as still fragmented emerging lines and suggests the value of studies that combine SciMAT’s evolutionary perspective with the relational detail provided by VOSviewer.

4.6.2. Principal Research Gaps

The VOSviewer co-occurrence map (Figure 11) and SciMAT’s evolutionary analyses (Figure 3), together with the evidence reported in Section 4.2, Section 4.3, Section 4.4 and Section 4.5, portray a growing research field that still exhibits clear blind spots despite the consolidation of the driving themes. Combining the motor themes (resource allocation, industrial management, strategic alignment and board of directors) with the emerging themes (information management, IT function and laws and legislation) highlights several areas where theoretical and empirical development remains limited.
First there is an evident gap regarding digital competences and board-level oversight. The board of directors cluster shows high centrality but only moderate density and in the co-occurrence maps it is mainly associated with performance and governance structures rather than with information management or security practices. Although some studies link board IT competence to organisational performance [58,201,203], the number of contributions is still small and does not fully specify how board composition and interactions with top management shape governance decision quality and its effects on resource allocation and strategic alignment [56,212].
Second there is a lack of longitudinal evidence linking governance maturity to value, risk and sustainability outcomes. Many empirical studies use COBIT to assess maturity but do so in cross sectional designs [66,136,137] and rarely follow organisations across multiple improvement cycles to verify whether maturity gains translate into sustained benefits as recent contributions suggest [267]. This is compounded by geographical and sectoral concentration: evidence is largely drawn from large corporations and public bodies in a limited set of countries [19,166], while SMEs, collaborative networks and critical sectors in developing economies remain underrepresented [33].
Third the emerging themes reveal specific gaps. Information management appears as a low-density cluster connected to questionnaires and Critical Success Factor [34,67] but only loosely linked to the governance mechanisms described in the motor themes, despite its connection to Knowledge Management and network infrastructures. IT function is associated with a single Governance Approach, suggesting that the literature has not yet examined in depth how different configurations of the IT Function (centralised, outsourced or hybrid) affect the effectiveness of IT governance mechanisms [66,108,226]. Laws and legislation form a small core with Information Security and point to a still-fragmented treatment of how regulatory frameworks reshape governance structures and risk-management practices [62,69,227].
Finally the SciMAT and VOSviewer maps show only peripheral references to advanced analytics, artificial intelligence and agile practices within IT governance frameworks. These elements appear scattered and are rarely integrated as explicit dimensions of IT Governance mechanisms, despite their growing relevance for resource allocation, industrial management and strategic alignment [9,11,53].
Taken together these gaps underline the need to move beyond structural descriptions and one-off maturity assessments towards designs that examine causal mechanisms and differential effects. In particular it becomes crucial to understand how decisions on resource allocation, industrial management configurations, strategic alignment mechanisms and board of directors oversight interact with information management practices, IT Function design, regulatory requirements derived from laws and legislation and the adoption of new technologies across diverse sectoral contexts.

4.6.3. Emerging Areas

The research gaps identified in the previous section point to several thematic areas that merit attention in future work:
(1)
Board-level digital competencies and longitudinal maturity evaluations
Board-level digital competencies and the evolution of IT governance maturity over time form a first clearly emerging area. Existing studies show that the presence of directors with technological expertise and dedicated IT committees is associated with better oversight and improved organisational performance, although the findings are still limited in number and scope [58,203,207]. A recurring theme is the need for more precise measures of board digital competence that capture professional background sector experience and prior involvement in IT-intensive initiatives and relate these aspects to decisions on resource allocation, strategic alignment and information security oversight [229,230].
A second strand within this area focuses on how IT governance maturity is observed over time. Most empirical applications of maturity models such as COBIT rely on cross-sectional assessments that provide a static view of capability levels and do not show whether changes in maturity are followed by sustained improvements in value risk reduction or sustainability outcomes [66,136]. Recent contributions call for longitudinal designs that follow organisations through several improvement cycles and connect maturity trajectories with financial operational and transparency indicators in order to estimate effect sizes and identify realistic thresholds of board IT competence [137,267].
(2)
Integration of governance information security regulation and relational agile mechanisms
A second emerging area is the integration of IT governance structures with information security regulation and the relational and agile mechanisms through which governance is exercised in practice. Empirical work that combines frameworks such as COBIT or UNE-ISO/IEC 38500 [5] suggests that integrated approaches can reinforce control effectiveness and regulatory compliance but also reveals heterogeneous adaptations by sector and persistent competence gaps among senior decision makers [9,75,114]. Parallel studies on information systems and knowledge management emphasise that learning culture, trust communication networks and knowledge sharing are essential to translate formal structures into alignment-efficient resource use and organisational resilience [89,91].
Within this area a growing body of work analyses how more flexible governance arrangements apply agile principles to cope with environmental turbulence shadow or informal digital initiatives and inter-organisational dependencies [167,256]. These contributions describe legal requirements, security controls and relational practices as interdependent elements of concrete governance architectures and highlight mechanisms such as lightweight committees, iterative risk reviews and continuous learning routines as ways to increase responsiveness while keeping a stable basis for accountability and auditability [52,53].
(3)
Integration with new technologies
A third area that is consolidating rapidly concerns the integration of new digital technologies into IT governance frameworks. The expansion of advanced analytics, artificial intelligence cloud services and platform-based architectures is transforming how organisations design information systems allocate resources and implement controls. Several studies examine how governance structures influence the benefits obtained from enterprise systems and analytics and how hybrid tools such as STOPE or GRC incorporate automated diagnostics and intelligence into governance processes [90,124,125]. Other works analyse the alignment between emerging frameworks such as IT4IT environmental sustainability requirements and established references like COBIT and ISO standards showing that governance models are being extended to cover digital service chains and green objectives [132,134].
Even so, artificial intelligence, predictive analytics and cloud native architectures are still only partially addressed as explicit dimensions of IT governance. Recent contributions explore how these technologies are embedded in decision risk and control domains, which indicators are adequate to evaluate their contribution to value creation and risk mitigation and how boards and executives adapt their oversight practices when governance must be exercised over algorithmic systems, distributed infrastructures and data-intensive services [32,50].

4.6.4. Causes of the Gaps and Epistemological Biases

The pattern of gaps identified in the literature points to several shared causes. Cross sectional research designs are dominant and produce static estimates that make it difficult to reconstruct causal trajectories or to show that increases in governance maturity effectively lead to organisational value creation. The IT governance construct is operationalised in heterogeneous ways and often combines frameworks and domains without clearly specifying the mechanisms and outcomes, which reduces comparability and replication across sectors. In addition, a predominantly normative orientation tends to highlight compliance with reference frameworks and detailed process mapping over the analysis of socio-technical and relational mechanisms that explain why governance arrangements are effective in specific contexts. Practical evaluations remain limited and frequently rely on surrogate indicators that are not systematically linked to risk reduction or value creation and that rarely undergo external validation.
These features are associated with several epistemological biases. A cross-sectional positivist bias gives priority to correlation over causal explanation. A normative prescriptive bias assumes the validity of frameworks and postpones their contextual scrutiny. A coverage bias concentrates evidence in particular sectors and regions and constrains external validity. Finally a surrogate metrics bias equates higher maturity scores with better outcomes without longitudinal confirmation, which contributes to the distance between the central role attributed to IT governance and the relatively modest body of robust and transferable empirical findings.

5. Conclusions

This study offers an overview of more than 25 years of research on the governance of Information Technology. Supported by a systematic literature review and bibliographic analysis tools such as SciMAT and VOSviewer, it shows how IT governance has evolved from an initially normative focus to a field where strategy, risk and data-centric disciplines converge.
The main findings, structured around five research questions, highlight several im-portant aspects:
  • RQ1. Number of Publications
The analysis of scholarly output in IT governance between 1999 and 2025 shows a clear progression: moderate growth to 2008, a pronounced surge to 2013, and sustained stabilisation at around 20–30 publications per year thereafter. This trend reflects consolidation of the field and a shift from prescriptive approaches to more strategic and resilient frameworks. The COVID-19 pandemic acted as a catalyst for new governance needs, prompting greater agility in existing models. Current thematic maturity confirms the field’s development into a multidisciplinary discipline capable of adapting to emerging challenges.
  • RQ2. Authors, Institutions and Countries
The review identifies a classic set of highly cited authors—such as de Haes & van Grembergen [169] and Weill & Ross [29]—underscoring the persistence and influence of their contributions. At the same time, a gradual decentralisation of knowledge is evident, with growing prominence of countries such as Malaysia, Indonesia, Mexico and Brazil. Institutionally, universities and research centres continue to lead scientific production, albeit with increasing geographical dispersion and openness to international collaboration. This expansion suggests diversification of perspectives and contextual approaches within IT governance.
In line with this, the outlet distribution follows a long-tail configuration, with a small recurrent core and an extended tail of specialised venues where cumulative volume remains substantial despite low per-journal counts. The country ranking largely reflects publication volume; European countries publish fewer IT governance articles over the study window, with part of the activity channelled under adjacent themes (e.g., digital transformation or compliance) and part conducted through multi-country collaborations that dilute national counts.
  • RQ3. Driving Research Themes
The analysis of the driving themes reveals an IT governance field structured around four complementary pillars. Resource allocation operates as a central decision mechanism that balances value risk and legitimacy and links portfolio planning to organisational resilience and system architecture. Industrial management connects corporate governance transparency, conceptual frameworks and organisational dimensions and integrates technological decisions into sector-specific configurations supported by process structures, institutionalised metrics and intercompany relationships.
Strategic alignment functions as the backbone of the system by articulating decision quality, the use of best practices measurement systems and the specificities of supply chains and small and medium-sized enterprises as well as outsourcing and cloud computing choices. Finally boards of directors emerge as the core oversight instance where IT competence governance design and adaptation to environmental dynamism determine how technological capabilities are translated into operational and financial performance.
Taken together these driving themes describe a multilevel architecture of IT governance that integrates portfolio decisions, industrial structures, alignment mechanisms and board-level oversight, and they point to the need for more integrated and longitudinal explanatory models.
  • RQ4. Emerging Research Themes
The emerging themes outline a research agenda that is still consolidating but already has clear implications for the evolution of IT governance. Information management appears as an emerging area focused on operationalising critical success factor through structured questionnaire survey and on linking knowledge management with infrastructural layers such as computer networks and communication technologies.
The IT function is connected to governance approach and shows that the allocation of responsibilities decision structures and technical competences shapes the design and effectiveness of IT governance mechanisms. Finally laws and legislation act as an external catalyst that drives the formalisation of governance structures and the strengthening of information security practices, particularly in highly regulated sectors.
Taken together these emerging themes indicate a shift towards more contextual and multi-method approaches that connect infrastructure, critical factor measurement, organisational design and regulatory pressure, and they open avenues for future work on comparative maturity regulatory effects and organisational outcomes across sectors and regions.
  • RQ5. Thematic Groups
The VOSviewer analysis identified seven clusters that configure the current thematic map of IT governance:
  • Cluster 1—IT investment: Focuses on how strategic investment decisions affect value creation, with frameworks such as COBIT applied in public and private contexts.
  • Cluster 2—Organizational Performance and Board of Directors: Centres on top management’s role in legitimising and overseeing IT processes, with emphasis on control structures and alignment.
  • Cluster 3—Governance Maturity: Addresses maturity models that assess the extent and evolution of IT governance practices.
  • Cluster 4—Corporate Governance and Organisational Effectiveness: Examines the intersection of corporate structures and IT governance in achieving strategic outcomes.
  • Cluster 5—Information Systems and Relational Mechanisms: Highlights the importance of cultural and relational factors (e.g., trust, organisational learning) for governance effectiveness.
  • Cluster 6—Organisational Impact, Strategic Alignment and Risk Management: Brings together studies on IT governance’s capacity to generate tangible value and mitigate risk.
  • Cluster 7—IT Governance Frameworks: Analyses the evolution and practical applications of models such as COBIT and UNE-ISO/IEC 38500.

Limitations and Future Lines of Research

Despite the efforts made to uphold high methodological rigour, there remain aspects of the study that warrant acknowledgement. In essence, the document collection was confined to the Web of Science and Scopus databases, focusing on English-language articles published between 1999 and 2025. As noted in Section 3.2, this choice helped maintain source quality but excluded the literature available in other specialised repositories, in other languages, or reflecting different geographical and sectoral emphases. A further constraint lies in the use of SciMAT and VOSviewer: limited support—and, in the case of SciMAT, sparse documentation—combined with a learning curve may have influenced some results. Finally, to maximise breadth and cross-database comparability, the search string employed generic descriptors (“IT governance” and “information technology governance”); framework-specific acronyms such as EGIT (COBIT 2019) were not included.
This analysis leads to three future lines of research that are particularly relevant. First it is necessary to examine jointly how IT investment decisions, organisational performance and the mechanisms of organisational impact, strategic alignment and risk management are combined in governance models based on COBIT 2019, with particular attention to the Information Security and Risk focus area and its mapping to the Evaluate, Direct and Monitor (EDM), Align, Plan and Organise (APO), Deliver, Service and Support (DSS) and Monitor, Evaluate and Assess (MEA) objectives.
Second future work should clarify the conceptual boundaries between IT governance, data governance and digital governance by establishing operational criteria that distinguish and connect these domains within corporate governance models so that constructs, mechanisms and outcomes are not conflated when digital resources, data and technological capabilities are jointly managed.
Third it is important to investigate the implications of IT governance for human resources functions by defining competency profiles and training pathways aligned with COBIT 2019, with maturity indicators linked to EDM, APO, DSS and MEA, so that governance structures and processes are explicitly connected to recruitment, training and performance evaluation practices in organisations facing increasing regulatory demands.

Author Contributions

Conceptualization, Á.V.-A., M.F.-O. and J.A.M.-M.; Methodology, Á.V.-A., M.F.-O. and J.A.M.-M.; Software, Á.V.-A. and M.F.-O.; Validation, Á.V.-A., M.F.-O. and J.A.M.-M.; Formal analysis, Á.V.-A., M.F.-O. and J.A.M.-M.; Investigation, Á.V.-A., M.F.-O. and J.A.M.-M.; Re-sources, Á.V.-A., M.F.-O. and J.A.M.-M.; Data curation, Á.V.-A., M.F.-O. and J.A.M.-M.; Writing—original draft, Á.V.-A., M.F.-O. and J.A.M.-M.; Writing—review & editing, Á.V.-A., M.F.-O. and J.A.M.-M.; Visualization, Á.V.-A. and M.F.-O.; Supervision, Á.V.-A., M.F.-O. and J.A.M.-M.; Project administration, J.A.M.-M.; Funding acquisition, J.A.M.-M. All authors have read and agreed to the published version of the manuscript.

Funding

This work has been developed within the “Recovery, Transformation and Resilience Plan”, project C084/23 Ada Byron INCIBE-UAH, funded by the European Union (Next Generation).

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Newman, J.; Mintrom, M.; O’Neill, D. Digital technologies, artificial intelligence, and bureaucratic transformation. Futures 2022, 136, 102886. [Google Scholar] [CrossRef]
  2. Herrera-Vidal, G.; Coronado-Hernández, J.R.; Maheut, J. Complexity management challenges in the industry 4.0 era: A systematic review in production systems. Results Eng. 2025, 26, 105329. [Google Scholar] [CrossRef]
  3. Patterson, C.M.; Nurse, J.R.C.; Franqueira, V.N.L. “I don’t think we’re there yet”: The practices and challenges of organisational learning from cyber security incidents. Comput. Secur. 2024, 139, 103699. [Google Scholar] [CrossRef]
  4. Almaqtari, F.A. The Role of IT Governance in the Integration of AI in Accounting and Auditing Operations. Economies 2024, 12, 199. [Google Scholar] [CrossRef]
  5. UNE-ISO/IEC 38500:2013; Gobernanza Corporativa de la Tecnología de la Información (TI). Asociación Española de Normalización: Madrid, Spain, 2013. Available online: https://www.une.org/encuentra-tu-norma/busca-tu-norma/norma?c=N0051036 (accessed on 22 November 2025).
  6. Wang, F.; Lv, J.; Zhao, X. How do information strategy and information technology governance influence firm performance? Front. Psychol. 2022, 13, 1023697. [Google Scholar] [CrossRef]
  7. Trujillo-Lambert, Y.; Osorio-Sanabria, M.; Maestre-Gongora, G.; Astudillo, H. Information Technology Governance in Colombian Small and Medium Companies: An Exploratory Study Using Data Analysis. Aibi Rev. Investig. Adm. Ing. 2023, 11, 66–74. [Google Scholar] [CrossRef]
  8. Al-Qatanani, K.M. The impact of implementing information technology governance based on the COBIT-2019 framework on institutional performance. Edelweiss Appl. Sci. Technol. 2025, 9, 84–95. [Google Scholar] [CrossRef]
  9. Abass, Z.K.; Al-Abedi, T.K.; Flayyih, H.H. Integration Between Cobit and Coso for Internal Control and Its Reflection on Auditing Risk with Corporate Governance as the Mediating Variable. Int. J. Econ. Financ. Stud. 2023, 15, 40–58. [Google Scholar] [CrossRef]
  10. AXELOS. ITIL 4 Foundation; The Stationery Office: Norwich, UK, 2019. [Google Scholar]
  11. Akbari, K.; Fuerstenau, D.; Winkler, T.J. Governance and Longevity of Architecturally Embedded Applications. J. Manag. Inf. Syst. 2024, 41, 266–296. [Google Scholar] [CrossRef]
  12. Shandryk, V.; Radchenko, O.; Radchenko, O.; Koshelenko, A.; Deinega, I. Digitalization as a Global Trend of Public Management Systems Modernization. In Digital Technologies in Education: Selected Cases; Springer Nature: Cham, Switzerland, 2024; pp. 3–16. [Google Scholar]
  13. Eichholz, J.; Hoffmann, N.; Schwering, A. The role of risk management orientation and the planning function of budgeting in enhancing organizational resilience and its effect on competitive advantages during times of crises. J. Manag. Control 2024, 35, 17–58. [Google Scholar] [CrossRef]
  14. Islam, H. Nexus of economic, social, and environmental factors on sustainable development goals: The moderating role of technological advancement and green innovation. Innov. Green Dev. 2025, 4, 100183. [Google Scholar] [CrossRef]
  15. Chahid, A.; Ahriz, S.; El Guemmat, K.; Mansouri, K. Developing digital capabilities through IT governance: A PLS-SEM analysis in Moroccan higher education institutions. Bull. Electr. Eng. Inform. 2025, 14, 1543–1552. [Google Scholar] [CrossRef]
  16. Esposito, M.; Palagiano, F.; Lenarduzzi, V.; Taibi, D. On Large Language Models in Mission-Critical IT Governance: Are We Ready Yet? In Proceedings of the 2025 IEEE/ACM 47th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), Ottawa, ON, Canada, 27 April–3 May 2025. [Google Scholar]
  17. Arta Perdana, B.G.; Muhammad, A.H.; Nasiri, A. Evaluation of It Governance Based on Spbe Using Cobit 2019 and ISO/IEC 38500:2015. Inovtek Polbeng Seri Inform. 2024, 9, 110–125. [Google Scholar] [CrossRef]
  18. Kekgathetse, M.; Lucas, B.; Sebapalo, M. A Systematic Review on Cyber Security Integration in Information Technology Governance. In Proceedings of the 2024 International Conference on Electrical and Computer Engineering Researches (ICECER), Gaborone,·Botswana, 4–6 December 2024. [Google Scholar]
  19. Mirzaei, P.; De Busser, E. The New F-word: The case of fragmentation in Dutch cybersecurity governance. Comput. Law Secur. Rev. 2024, 55, 106032. [Google Scholar] [CrossRef]
  20. Callon, M.; Courtial, J.-P.; Laville, F. Co-word analysis as a tool for describing the network of interactions between basic and technological research: The case of polymer chemsitry. Scientometrics 1991, 22, 155–205. [Google Scholar] [CrossRef]
  21. Giraldo-Giraldo, C.; Rubio-Andrés, M.; Rave-Gómez, E.D.; Gutiérrez-Broncano, S. Evolution of the Concept and Scientific Mapping of Sustainable Human Resource Management S-(HRM). Adm. Sci. 2025, 15, 39. [Google Scholar] [CrossRef]
  22. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. BMJ 2021, 372, n71. [Google Scholar] [CrossRef]
  23. Kramar, R. Beyond strategic human resource management: Is sustainable human resource management the next approach? Int. J. Hum. Resour. Manag. 2014, 25, 1069–1089. [Google Scholar] [CrossRef]
  24. Kramar, R. Sustainable human resource management: Six defining characteristics. Asia Pac. J. Hum. Resour. 2022, 60, 146–170. [Google Scholar] [CrossRef]
  25. Van Eck, N.J.; Waltman, L. Software survey: VOSviewer, a computer program for bibliometric mapping. Scientometrics 2010, 84, 523–538. [Google Scholar] [CrossRef]
  26. Cobo, M.J.; López-Herrera, A.G.; Herrera-Viedma, E.; Herrera, F. An approach for detecting, quantifying, and visualizing the evolution of a research field: A practical application to the Fuzzy Sets Theory field. J. Informetr. 2011, 5, 146–166. [Google Scholar] [CrossRef]
  27. Cobo, M.J.; López-Herrera, A.G.; Herrera-Viedma, E.; Herrera, F. SCIMAT: A new science mapping analysis software tool. J. Am. Soc. Inf. Sci. Technol. 2012, 63, 1609–1630. [Google Scholar] [CrossRef]
  28. ISACA. COBIT2019 Framework: Introduction Methodology, I.S.A.C.A. 2018. Available online: https://www.isaca.org/resources/cobit (accessed on 1 June 2025).
  29. Weill, P.; Ross, J. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results; Harvard Business Press: Brighton, MA, USA, 2004. [Google Scholar]
  30. Caluwe, L.; Wilkin, C.L.; De Haes, S.; Huygh, T. Board roles required for IT governance to become an integral component of corporate governance. Int. J. Account. Inf. Syst. 2024, 54, 100694. [Google Scholar] [CrossRef]
  31. Lesum, S.A.; Akthar, S.R.; Islam, M.R.; Sadia, F.; Hasan, M. Project Governance to Improve the Performance of Software Projects by Mitigating the Software Risk Factors: The Moderating Role of Project Leadership. Procedia Comput. Sci. 2024, 239, 1863–1870. [Google Scholar] [CrossRef]
  32. McIntosh, T.R.; Susnjak, T.; Liu, T.; Watters, P.; Xu, D.; Liu, D.; Nowrozy, R.; Halgamuge, M.N. From COBIT to ISO 42001: Evaluating cybersecurity frameworks for opportunities, risks, and regulatory compliance in commercializing large language models. Comput. Secur. 2024, 144, 103964. [Google Scholar] [CrossRef]
  33. Qassimi, N.A.; Rusu, L. IT Governance in a Public Organization in a Developing Country: A Case Study of a Governmental Organization. Procedia Comput. Sci. 2015, 64, 450–456. [Google Scholar] [CrossRef][Green Version]
  34. Amali, L.N.; Katili, M.R. Identification of influential factors in implementing it governance: A survey study of Indonesian companies in the public sector. Interdiscip. J. Inf. Knowl. Manag. 2018, 13, 61–77. [Google Scholar] [CrossRef][Green Version]
  35. Amali, L.N.; Mahmuddin, M.; Ahmad, M.; Rifai Katili, M. Factors influencing the implementation of IT governance. J. Eng. Appl. Sci. 2018, 13, 8912–8920. [Google Scholar]
  36. Begum, F.U.; Popoola, O.M.J.; Ghazali, M.Z. Unveiling the Determinants of Effective IT Governance: A Conceptual Framework for India’s Public Listed Companies. Pap. Asia 2024, 40, 415–428. [Google Scholar] [CrossRef]
  37. Bianchi, I.S.; Sousa, R.D.; Pereira, R.; De Haes, S. The influence of culture in IT governance implementation: A higher education multi case study. Int. J. Hum. Cap. Inf. Technol. Prof. 2019, 10, 55–68. [Google Scholar] [CrossRef]
  38. Bradley, R.V.; Byrd, T.A.; Pridmore, J.L.; Thrasher, E.; Pratt, R.M.E.; Mbarika, V.W.A. An empirical examination of antecedents and consequences of IT governance in US hospitals. J. Inf. Technol. 2012, 27, 156–177. [Google Scholar] [CrossRef]
  39. Nfuka, E.N.; Rusu, L. Critical success framework for implementing effective IT governance in Tanzanian public sector organizations. J. Glob. Inf. Technol. Manag. 2013, 16, 53–77. [Google Scholar] [CrossRef]
  40. Olutoyin, O.; Flowerday, S. Successful IT governance in SMES: An application of the Technology-Organisation-Environment theory. S. Afr. J. Inf. Manag. 2016, 18, 1–8. [Google Scholar] [CrossRef]
  41. Trang, S.; Zander, S.; Kolbe, L.M. The Contingent Role of Centrality in IT Network Governance: An Empirical Examination. Pac. ASIA J. Assoc. Inf. Syst. 2015, 7, 31–48. [Google Scholar] [CrossRef]
  42. Xue, Y.; Liang, H.; Boulton, W.R. Information technology governance in information technology investment decision processes: The impact of investment characteristics, external environment, and internal context. MIS Q. Manag. Inf. Syst. 2008, 32, 67–96. [Google Scholar] [CrossRef]
  43. Joshi, A.; Bollen, L.; Hassink, H. An Empirical Assessment of IT Governance Transparency: Evidence from Commercial Banking. Inf. Syst. Manag. 2013, 30, 116–136. [Google Scholar] [CrossRef]
  44. Jafarijoo, M.; Joshi, K.D. The interplay of IT governance mechanisms, value and performance: The case of cloud computing investment. Pac. ASIA J. Assoc. Inf. Syst. 2024, 16, 75–123. [Google Scholar]
  45. Lunardi, G.L.; Becker, J.L.; Maçada, A.C.G.; Dolci, P.C. The impact of adopting IT governance on financial performance: An empirical analysis among Brazilian firms. Int. J. Account. Inf. Syst. 2014, 15, 66–81. [Google Scholar] [CrossRef]
  46. Pang, M.S. IT governance and business value in the public sector organizations–The role of elected representatives in IT governance and its impact on IT value in U.S. state governments. Decis. Support Syst. 2014, 59, 274–285. [Google Scholar] [CrossRef]
  47. Turedi, S.; Zhu, H. How to generate more value from IT: The interplay of it investment, decision making structure, and senior management involvement in IT governance. Commun. Assoc. Inf. Syst. 2019, 44, 511–536. [Google Scholar] [CrossRef]
  48. Wilkin, C.L. The role of it governance practices in creating business value in smes. J. Organ. End User Comput. 2012, 24, 1–17. [Google Scholar] [CrossRef][Green Version]
  49. Willson, P.; Pollard, C. Exploring IT governance in theory and practice in a large multi-national organisation in Australia. Inf. Syst. Manag. 2009, 26, 98–109. [Google Scholar] [CrossRef]
  50. Zhao, H.; Chen, X.; Yang, Y. It Governance Frameworks for Cloud Computing Services and Assessing Their Performance. J. Nonlinear Convex Anal. 2021, 22, 2247–2266. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85207867975&partnerID=40&md5=7b5f59bc0441cec8764ba8671c80c5f0 (accessed on 1 June 2025).
  51. Raymond, L.; Bergeron, F.; Croteau, A.-M.; Uwizeyemungu, S. Determinants and outcomes of IT governance in manufacturing SMEs: A strategic IT management perspective. Int. J. Account. Inf. Syst. 2019, 35, 100422. [Google Scholar] [CrossRef]
  52. Ali, A.; Iqbal, S.; Haider, S.A.; Tehseen, S.; Anwar, B.; Sohail, M.; Rehman, K. Does Governance in Information Technology Matter When It Comes to Organizational Performance in Pakistani Public Sector Organizations? Mediating effect of innovation. Sage Open 2021, 11, 21582440211016557. [Google Scholar] [CrossRef]
  53. Elazhary, M.; Popovič, A.; Henrique de Souza Bermejo, P.; Oliveira, T. How Information Technology Governance Influences Organizational Agility: The Role of Market Turbulence. Inf. Syst. Manag. 2023, 40, 148–168. [Google Scholar] [CrossRef]
  54. Chau, D.C.K.; Ngai, E.W.T.; Gerow, J.E.; Thatcher, J.B. The effects of business-IT strategic alignment and IT governance on firm performance: A moderated polynomial regression analysis. MIS Q. Manag. Inf. Syst. 2020, 44, 1679–1703. [Google Scholar] [CrossRef]
  55. Fajar, A.N.; Amri, M. The Impact of IT Governance Mechanism on Firm Performance: An Empirical Study. J. Syst. Manag. Sci. 2022, 12, 205–218. [Google Scholar] [CrossRef]
  56. Ilmudeen, A.; Qaffas, A.A. Impact of IT governance mechanisms on IT-enabled dynamic capabilities to achieve firm performance: Role of moderators. Benchmarking 2025, 32, 578–607. [Google Scholar] [CrossRef]
  57. Liu, P.; Turel, O.; Bart, C. Board IT Governance in Context: Considering Governance Style and Environmental Dynamism Contingencies. Inf. Syst. Manag. 2019, 36, 212–227. [Google Scholar] [CrossRef]
  58. Turel, O.; Bart, C. Board-level IT governance and organizational performance. Eur. J. Inf. Syst. 2014, 23, 223–239. [Google Scholar] [CrossRef]
  59. Park, J.; Lee, J.N.; Daniel Lee, O.K.; Koo, Y. Alignment between Internal and External IT Governance and Its Effects on Distinctive Firm Performance: An Extended Resource-Based View. IEEE Trans. Eng. Manag. 2017, 64, 351–364. [Google Scholar] [CrossRef]
  60. Yang, Q.; Qian, L.; Zhao, X. Does information technology governance strengthen or weaken contract control in digital platform relationships? Ind. Manag. Data Syst. 2022, 122, 20–36. [Google Scholar] [CrossRef]
  61. Smits, D.; Van Hillegersberg, J. Evaluation of the usability of a new ITG instrument to measure hard and soft governance maturity. Int. J. Inf. Syst. Proj. Manag. 2019, 7, 37–58. [Google Scholar] [CrossRef]
  62. Asmah, A.; Kyobe, M. The impact of audit on IT governance: A study of the financial services sector in Ghana. Electron. J. Inf. Syst. Dev. Ctries. 2025, 91, e12349. [Google Scholar] [CrossRef]
  63. Lee, J.; Lee, C.; Kap-Young, J. Governance inhibitors in it strategy and management: An empirical study of Korean enterprises. Glob. Econ. Rev. 2008, 37, 1–22. [Google Scholar] [CrossRef]
  64. Wiedenhöft, G.C.; Luciano, E.M. Going the Extra Mile: Impact of Individuals’ Behavior on Information Technology Governance. Rev. Adm. Contemp. 2021, 2004, 25. [Google Scholar] [CrossRef]
  65. Yaokumah, W.; Brown, S.; Adjei, P.O.M. Information technology governance barriers, drivers, IT/business alignment, and maturity in Ghanaian universities. Int. J. Inf. Syst. Serv. Sect. 2015, 7, 66–83. [Google Scholar] [CrossRef]
  66. Debreceny, R.S.; Gray, G.L. IT Governance and Process Maturity: A Multinational Field Study. J. Inf. Syst. 2013, 27, 157–188. [Google Scholar] [CrossRef]
  67. Fasihuddin, H.; Alharbi, S.; Alshehri, A.; Alzahrani, A.; Fatani, H. Measuring the maturity of Information Technology Governance based on COBIT. Rom. J. Inf. Technol. Autom. Control. Rev. Romana Inform. Si Autom. 2022, 32, 65–78. [Google Scholar] [CrossRef]
  68. Safari, M.R.; Jiang, Q. The theory and practice of IT governance maturity and strategies alignment: Evidence from banking industry. J. Glob. Inf. Manag. 2018, 26, 127–146. [Google Scholar] [CrossRef]
  69. El Sheikh, A.; Abu Khadra, H.A. Governing Information Technology (IT) and Security Vulnerabilities: Empirical Study Applied on the Jordanian Industrial Companies. J. Inf. Technol. Res. 2009, 2, 70–85. [Google Scholar] [CrossRef][Green Version]
  70. Merchán-Rodríguez, V.; Zambrano-Vera, D. Budget and capabilities of information technology governance: Empirical analysis in higher education institutes. Bull. Electr. Eng. Inform. 2023, 12, 1137–1147. [Google Scholar] [CrossRef]
  71. Solana-González, P.; Vanti, A.A.; García Lorenzo, M.M.; Bello Pérez, R.E. Data mining to assess organizational transparency across technology processes: An approach from it governance and knowledge management. Sustainability 2021, 13, 10130. [Google Scholar] [CrossRef]
  72. Uky, Y.; Harmadji, D.E. Information Technology Governance Awareness: A Proposed Formula for Assessment. J. RESTI 2022, 6, 1064–1071. [Google Scholar] [CrossRef]
  73. Almaqtari, F.A.; Farhan, N.H.S.; Yahya, A.T.; Al-Dalaien, B.O.A.; Shamim, M. The mediating effect of IT governance between corporate governance mechanisms, business continuity, and transparency & disclosure: An empirical study of COVID-19 Pandemic in Jordan. Inf. Secur. J. 2023, 32, 39–57. [Google Scholar] [CrossRef]
  74. Butler, M.J. A qualitative system dynamics perspective on the contribution of information technology credibility towards business and information technology alignment. S. Afr. J. Bus. Manag. 2022, 52, a2774. [Google Scholar] [CrossRef]
  75. Mohamad, S.; Toomey, M. A survey of information technology governance capability in five jurisdictions using the ISO 38500:2008 framework. Int. J. Discl. Gov. 2016, 13, 53–74. [Google Scholar] [CrossRef]
  76. Olesen, K.; Narayan, A.K.; Ramachandra, S. The challenges of Information Technology (IT) governance in public universities over time. Corp. Ownersh. Control 2013, 10, 258–266. [Google Scholar] [CrossRef][Green Version]
  77. Robles, R.J.; Park, J.Y.; Kim, T.H. Information security control centralization and IT governance for enterprises. Int. J. Multimed. Ubiquitous Eng. 2008, 3, 67–76. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84863012306&partnerID=40&md5=9e51e3351326f9dfd2e836d25dccfa30 (accessed on 1 June 2025).
  78. Wilkin, C.L.; Chenhall, R.H. Information technology governance: Reflections on the past and future directions. J. Inf. Syst. 2020, 34, 257–292. [Google Scholar] [CrossRef]
  79. Batyashe, T.N.; Iyamu, T. Examining IT governance through diffusion of innovations: A case of a south African telecom. Inf. Resour. Manag. J. 2017, 30, 26–40. [Google Scholar] [CrossRef]
  80. Chong, J.L.L.; Tan, F.B. IT Governance in Collaborative Networks: A Socio-Technical Perspective. Pac. ASIA J. Assoc. Inf. Syst. 2012, 4, 31–48. [Google Scholar] [CrossRef]
  81. Da Silva, H.C.C.; Dornelas, J.S.; Vasconcelos Araujo, M.A. Strategic role of IT and IT governance mechanisms for the context of small and medium enterprises. REGEPE Entrep. Small Bus. J. 2022, 11, e2051. [Google Scholar] [CrossRef]
  82. Hasbollah, H.M.; Simon, A.; Letch, N. Investigating IT Governance implementation: Insights from an Australian retailer of home improvement products. J. Eng. Appl. Sci. 2017, 12, 6553–6559. [Google Scholar]
  83. Law, C.C.H.; Ngai, E.W.T. IT Infrastructure Capabilities and Business Process Improvements: Association with IT Governance Characteristics. Inf. Resour. Manag. J. 2007, 20, 25–47. [Google Scholar] [CrossRef]
  84. Mardan, F.; Abdolvand, N.; Harandi, S.R. The effect of IT flexibility and IT governance on business-IT strategic alignment. Int. J. Bus. Syst. Res. 2023, 17, 251–265. [Google Scholar] [CrossRef]
  85. Muammar, S.; Nicho, M. IT governance practices in the Gulf Cooperation Council region. Int. J. Inf. Technol. Proj. Manag. 2019, 10, 137–159. [Google Scholar] [CrossRef]
  86. Vatanasakdakul, S.; Aoun, C.; Chen, Y. Chasing Success: An Empirical Model for IT Governance Frameworks Adoption in Australia. Sci. Technol. Soc. 2017, 22, 182–211. [Google Scholar] [CrossRef]
  87. Ali, S.; Green, P.; Robb, A. Measuring top management’s IT governance knowledge absorptive capacity. J. Inf. Syst. 2013, 27, 137–155. [Google Scholar] [CrossRef]
  88. Ferguson, C.; Green, P.; Vaswani, R.; Wu, G. Determinants of Effective Information Technology Governance. Int. J. Audit. 2013, 17, 75–99. [Google Scholar] [CrossRef]
  89. Gottschalk, P.; Karlsen, J.T. Mobilisation of strategic Information Technology resources: The influence of knowledge sharing on Information Technology governance. Int. J. Bus. Syst. Res. 2008, 2, 227–243. [Google Scholar] [CrossRef]
  90. Govindaraju, R.; Dwipayana, I.N.K.; Salamah, S.Y. It governance and ERP post-implementation: Analysing the impact of it business alignment and it benefits management on ERP operation and enhancement. Int. J. Technol. 2018, 9, 578–588. [Google Scholar] [CrossRef]
  91. Tiwana, A.; Kim, S.K. Discriminating IT governance. Inf. Syst. Res. 2015, 26, 656–674. [Google Scholar] [CrossRef]
  92. Amali, L.N.; Katili, M.R.; Suhada, S. Core model of information technology governance system design in local government. Telkomnika 2023, 21, 750–761. [Google Scholar] [CrossRef]
  93. De Haes, S.; Van Grembergen, W.; Debreceny, R.S. COBIT 5 and enterprise governance of information technology: Building blocks and research opportunities. J. Inf. Syst. 2013, 27, 307–324. [Google Scholar] [CrossRef]
  94. Nugraha, R.A.; Syaidah, R. Smart Campus Governance Design for XYZ Polytechnic Based on COBIT 2019. Int. J. Inform. Vis. 2022, 6, 718–725. [Google Scholar] [CrossRef]
  95. Toifur, T.; Budi, A. Evaluation of Information Technology Governance Using COBIT 5 and ISO/IEC 38500. J. Online Inform. 2022, 7, 17–27. [Google Scholar] [CrossRef]
  96. Utomo, D.; Wijaya, M.; Sagala, N.T.M. Leveraging COBIT 2019 to Implement IT Governance in SME Context: A Case Study of Higher Education in Campus A. CommIT J. 2022, 16, 129–141. [Google Scholar] [CrossRef]
  97. Wiraniagara, A.; Legowo, N. Solving IT governance problems of life insurance company in Indonesia using COBIT 5 framework. Int. J. Comput. Digit. Syst. 2020, 90, 771–780. [Google Scholar] [CrossRef]
  98. Arghand, A.A.; Alborzi, M.; Ghatari, A.R. A Methodology for IT Governance by Viable System Modeling (VSM): An Action Research in Designing a Data Center. Syst. Pract. Action Res. 2022, 35, 131–152. [Google Scholar] [CrossRef]
  99. El Ghorfi, R.; Aroussi, M.E.; Ouadou, M.; Aboutajdine, D. IT project management under real options theory and IT governance: A case study on organisation relocation. Int. J. Manag. Decis. Mak. 2017, 16, 196–223. [Google Scholar] [CrossRef]
  100. El Ghorfi, R.; El Aroussi, M.; Ouadou, M.; Aboutajdine, D. Valuating IT governance strategies with real options in a decision making framework. Int. J. Inf. Syst. Serv. Sect. 2018, 10, 42–58. [Google Scholar] [CrossRef]
  101. El Houssaini, S.E.; Youssfi, K.; Boutahar, J. CAT5:A Tool for Measuring the Maturity Level of Information Technology Governance Using COBIT 5 Framework. Int. J. Adv. Comput. Sci. Appl. 2016, 7, 385–391. [Google Scholar] [CrossRef]
  102. Pajić, A.; Pantelić, O.; Stanojević, B. Representing IT performance management as metamodel. Int. J. Comput. Commun. Control 2014, 9, 758–767. [Google Scholar] [CrossRef][Green Version]
  103. Yamami, A.E.L.; Mansouri, K.; Qbadou, M.; Illoussamen, E. A new pattern for the deployment of IT governance frameworks in organizations. Int. J. Eng. Technol. (UAE) 2018, 7, 3459–3465. [Google Scholar]
  104. Abu Khadra, H.; Zuriekat, M.; Alramhi, N. An empirical examination of maturity model as measurement of information technology governance implementation. Int. Arab. J. Inf. Technol. 2009, 6, 310–319. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-73449083731&partnerID=40&md5=9e8a588f2565346c60af86645007192d (accessed on 1 June 2025).
  105. Amali, L.N.; Katili, M.R.; Suhada, S.; Hadjaratie, L. The measurement of maturity level of information technology service based on COBIT 5 framework. Telkomnika 2020, 18, 133–139. [Google Scholar] [CrossRef]
  106. Ilham, M.; Eliyana, A.; Usman, I. The Influence of Information Technology Governance Audit Using Cobit 5 for the Development Public Library: (Case Study: Public Library In East Java). Libr. Philos. Pract. 2020, 4384. Available online: https://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=8254&context=libphilprac (accessed on 22 November 2025).
  107. Krisanthi, G.A.T.; Sukarsa, I.M.; Agung Bayupati, I.P. Governance audit of application procurement using COBIT framework. J. Theor. Appl. Inf. Technol. 2014, 59, 342–351. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84892732684&partnerID=40&md5=5d8337c33d6e074fd1ac601937ae79b2 (accessed on 1 June 2025).
  108. Radjulan, J.C.; Iriani, A.; Tambotoh, J. Evaluation It Governance Computer Network at Central Bureau of Statistics (Bps) Maluku Province Using Cobit 2019 DSS01 and DSS05 Domains. Barekeng 2024, 18, 2779–2794. [Google Scholar] [CrossRef]
  109. Zainuddin, N.; Winarno, W.W.; Ningsi, N.; Pasrun, Y.P.; Muliyadi, M. It governance evaluation at the population and civil registry office in Kolaka district using COBIT 5 framework. Regist. J. Ilm. Teknol. Sist. Inf. 2020, 6, 86–95. [Google Scholar] [CrossRef]
  110. Garcia, V.V.; Vicente, E.J.F.; Aragonés, L.U. Maturity Model for IT Service Outsourcing in Higher Education Institutions. Int. J. Adv. Comput. Sci. Appl. 2013, 4, 39–45. [Google Scholar] [CrossRef][Green Version]
  111. García, V.V.; Vicente, E.J.F.; Aragonés, L.U. Applicability of the Maturity Model for IT Service Outsourcing in Higher Education Institutions. Int. J. Adv. Comput. Sci. Appl. 2014, 5, 41–50. [Google Scholar] [CrossRef]
  112. García, V.V.; Vicente, E.J.F.; Aragonés, L.U. Cloud Management and Governance: Adapting IT Outsourcing to External Provision of Cloud-Based IT Services. Int. J. Adv. Comput. Sci. Appl. 2015, 6, 86–93. [Google Scholar] [CrossRef]
  113. Erniwati, S.; Hikmawati, N.K. An Analysis of Information Technology on Data Processing by using Cobit Framework. Int. J. Adv. Comput. Sci. Appl. 2015, 6, 151–157. [Google Scholar] [CrossRef]
  114. Steenkamp, G. The applicability of using COBIT as a framework to achieve compliance with the King III Report’s requirements for good IT governance. South. Afr. J. Account. Audit. Res.-SAJAAR 2011, 11, 1–8. [Google Scholar]
  115. Lee, M.C. IT governance implementation framework in small and medium enterprise. Int. J. Manag. Enterp. Dev. 2013, 12, 425–441. [Google Scholar] [CrossRef]
  116. Mohamed, N.; Kaur, J.; Singh, G. A conceptual framework for information technology governance effectiveness in private organizations. Inf. Manag. Comput. Secur. 2012, 20, 88–106. [Google Scholar] [CrossRef]
  117. Wilkin, C.; Campbell, J.; Moore, S.; van Grembergen, W. Co-creating value from IT in a contracted public sector service environment: Perspectives on COBIT and Val IT. J. Inf. Syst. 2013, 27, 283–306. [Google Scholar] [CrossRef]
  118. Trites, G. Director responsibility for IT governance. Int. J. Account. Inf. Syst. 2004, 5, 89–99. [Google Scholar] [CrossRef]
  119. Wautelet, Y. A model-driven IT governance process based on the strategic impact evaluation of services. J. Syst. Softw. 2019, 149, 462–475. [Google Scholar] [CrossRef]
  120. Al-Sa’eed, M.A.; Al-Mahamid, S.M.; Al-Sayyed, R.M.H. The impact of control objectives of information and related technology (COBIT) domain on information criteria and information technology resources. J. Theor. Appl. Inf. Technol. 2012, 45, 9–18. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84874525237&partnerID=40&md5=1857ace2d5dfb3ee6012e5e93824af9f (accessed on 1 June 2025).
  121. Bianchi, I.S.; Sousa, R.D.; Pereira, R.; de Souza, I.M. Effective it governance mechanisms in higher education institutions: An empirical study. RISTI Rev. Ibérica Sist. Tecnol. Informação 2020, 2020, 412–423. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85078842160&partnerID=40&md5=4bd4dee222fffcb9c6d4dd0226f1acc6 (accessed on 1 June 2025).
  122. Andresen, R.; Ekker, K.; Hjort Christensen, B.; Gottschalk, P. An IT outsourcing governance model for mobile learning and organisation. Int. J. Mob. Learn. Organ. 2007, 1, 184–197. [Google Scholar] [CrossRef]
  123. Chong, J.L.L.; Duong, L.N.K. Understanding IT Governance Effectiveness in Asia: An Event Study. Pac. ASIA J. Assoc. Inf. Syst. 2017, 9, 29–54. [Google Scholar] [CrossRef]
  124. Bin-Abbas, H.; Bakry, S.H. Assessment of IT governance in organizations: A simple integrated approach. Comput. Hum. Behav. 2014, 32, 261–267. [Google Scholar] [CrossRef]
  125. Chergui, M.; Chakir, A. IT GRC smart adviser: Process driven architecture applying an integrated framework. Advances in Science. Technol. Eng. Syst. 2020, 5, 247–255. [Google Scholar] [CrossRef]
  126. Taylor, H.; Woelfer, J.P.; Artman, E. Information Technology Governance in Practice: A Project Management Office’s Use of Early Risk Assessment as a Relational Mechanism. Int. J. Inf. Technol. Proj. Manag. 2012, 3, 14–30. [Google Scholar] [CrossRef]
  127. Ahmad, N.; Amer, N.T.; Qutaifan, F.; Alhilali, A. Technology adoption model and a road map to successful implementation of ITIL. J. Enterp. Inf. Manag. 2013, 26, 553–576. [Google Scholar] [CrossRef]
  128. Anica-Popa, I. Standards in IT Governance. Qual. Access Success 2012, 13, 110–112. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84867952081&partnerID=40&md5=10a42917eff60aa82cbae35ba823fb33 (accessed on 1 June 2025).
  129. Iden, J.; Eikebrokk, T.R. Using the ITIL Process Reference Model for Realizing IT Governance: An Empirical Investigation. Inf. Syst. Manag. 2014, 31, 37–58. [Google Scholar] [CrossRef][Green Version]
  130. Hamzane, I.; Abdessamad, B. A built-in criteria analysis for best IT governance framework. Int. J. Adv. Comput. Sci. Appl. 2019, 10, 185–190. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85075735916&partnerID=40&md5=50df938a908a51266d741d5894f74d51 (accessed on 1 June 2025). [CrossRef]
  131. Peña, J.J.S.; Vicente, E.F.; Ocaña, A.M. ITIL, COBIT and EFQM: Can They Work Together? Int. J. Comb. Optim. Probl. Inform. 2013, 4, 54–64. [Google Scholar]
  132. Rivas-Asanza, W.; Celleri-Pacheco, J.; Andrade-Garda, J.; García-Vázquez, R.; Mato-Abad, V.; Rodríguez-Yáñez, S.; Suárez-Garaboa, S. Environmental sustainability in information technologies governance. Sustainability 2018, 10, 4792. [Google Scholar] [CrossRef]
  133. Supangkat, S.H.; Rahmad, B. Adaptive IT governance framework: Integration and harmonization of structure, IT decision and the control mechanism. WSEAS Trans. Inf. Sci. Appl. 2006, 3, 1931–1939. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-33746921585&partnerID=40&md5=c47c5025b8faa6a18d128459cb3a55bc (accessed on 1 June 2025).
  134. Tambo, T.; Filtenborg, J. Digital services governance: IT4IT™ for management of technology. J. Manuf. Technol. Manag. 2019, 30, 1230–1249. [Google Scholar] [CrossRef]
  135. Mutiara, A.; Prasetyo, E.; Widya, C. Analyzing cobit 5 it audit framework implementation using ahp methodology. Int. J. Inform. Vis. 2017, 1, 33–39. [Google Scholar] [CrossRef]
  136. Ridley, G.; Young, J.; Carroll, P. COBIT 3rd Edition Executive Summary. Aust. Account. Rev. 2008, 18, 334–342. [Google Scholar] [CrossRef]
  137. Tuttle, B.; Vandervelde, S.D. An empirical examination of CobiT as an internal control framework for information technology. Int. J. Account. Inf. Syst. 2007, 8, 240–263. [Google Scholar] [CrossRef]
  138. Ebert, C.; Vizcaino, A.; Manjavacas, A. IT Governance. IEEE Softw. 2020, 37, 13–20. [Google Scholar] [CrossRef]
  139. Spremić, M. IT governance mechanisms in managing IT business value. WSEAS Trans. Inf. Sci. Appl. 2009, 6, 906–915. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-68049107031&partnerID=40&md5=f9f20a73d45459ed9f5bcfdc0f44260c (accessed on 1 June 2025).
  140. Adu-Mensah, E.; Odei-Appiah, S.; Adjei, J.K.; Ayivor, E. The role of user awareness in the information technology and security governance nexus—Evidence from Ghana’s banking industry. Int. J. Inf. Comput. Secur. 2024, 25, 367–403. [Google Scholar] [CrossRef]
  141. Harguem, S.; Boubaker, K.B.; Echatti, H. Information Technology Governance in the Tunisian Banking Industry: An Exploratory Study. Acad. J. Interdiscip. Stud. 2022, 11, 121–133. [Google Scholar] [CrossRef]
  142. Shaw, R.S.; Cheng, C.P.; Shih, S.P. Correlation and impact between it management and IT governance. Inf. Technol. J. 2013, 12, 4569–4575. [Google Scholar] [CrossRef][Green Version]
  143. Veerankutty, F.; Ramayah, T.; Ali, N.A. Information technology governance on audit technology performance among Malaysian public sector auditors. Soc. Sci. 2018, 7, 124. [Google Scholar] [CrossRef]
  144. Wu, S.P.J.; Straub, D.W.; Liang, T.P. How information technology governance mechanisms and strategic alignment influence organizational performance: Insights from a matched survey of business and it managers. MIS Q. Manag. Inf. Syst. 2015, 39, 497–518. [Google Scholar] [CrossRef]
  145. Awwad, B.; El Khoury, R. Information technology governance and bank performance: Evidence from Palestine. J. Decis. Syst. 2024, 33, 311–334. [Google Scholar] [CrossRef]
  146. Singh, H.P.; Alhulail, H.N. Information Technology Governance and Corporate Boards’ Relationship with Companies’ Performance and Earnings Management: A Longitudinal Approach. Sustainability 2023, 15, 6492. [Google Scholar] [CrossRef]
  147. Khalil, S.; Belitski, M. Dynamic capabilities for firm performance under the information technology governance framework. Eur. Bus. Rev. 2020, 32, 129–157. [Google Scholar] [CrossRef]
  148. Naguib, H.M.; Kassem, H.M.; Naem, A.M.A. The impact of IT governance and data governance on financial and non-financial performance. Future Bus. J. 2024, 10, 15. [Google Scholar] [CrossRef]
  149. Smith, A.L.; Bradley, R.V.; Bichescu, B.C.; Tremblay, M.C. IT governance characteristics, electronic medical records sophistication, and financial performance in U.S. hospitals: An empirical investigation. Decis. Sci. 2013, 44, 483–516. [Google Scholar] [CrossRef]
  150. Castellanos, W.S. Impact of Information Technology (IT) Governance on Business-IT Alignment. Cuad. Gest. 2021, 21, 83–96. [Google Scholar] [CrossRef]
  151. in der Maur, W.; van Walbeek, W.; Batenburg, R. A framework for integrating IT governance and business/IT alignment principles. Int. J. Bus. Innov. Res. 2009, 3, 555–573. [Google Scholar] [CrossRef]
  152. Reynolds, P.; Yetton, P. Aligning business and IT strategies in multi-business organizations. J. Inf. Technol. 2015, 30, 101–118. [Google Scholar] [CrossRef]
  153. Schlosser, F.; Beimborn, D.; Weitzel, T.; Wagner, H.T. Achieving social alignment between business and IT–An empirical evaluation of the efficacy of IT governance mechanisms. J. Inf. Technol. 2015, 30, 119–135. [Google Scholar] [CrossRef]
  154. Torres-Moreno, M.E.; Aponte-Melo, J.H. Assessing business-IT alignment maturity at a Colombian university. J. Cases Inf. Technol. 2021, 23, 1–22. [Google Scholar] [CrossRef]
  155. Mutakyahwa, A.; Marnewick, C. Information technology governance practices and stakeholder management: A multinational organizational perspective. J. Mod. Proj. Manag. 2021, 9, 103–121. [Google Scholar]
  156. Schobel, K.; Denford, J.S. The Chief Information Officer and Chief Financial Officer dyad in the public sector: How an effective relationship impacts individual effectiveness and strategic alignment. J. Inf. Syst. 2013, 27, 261–281. [Google Scholar] [CrossRef]
  157. Sharma, D.; Stone, M.; Ekinci, Y. IT governance and project management: A qualitative study. J. Database Mark. Cust. Strategy Manag. 2009, 16, 29–50. [Google Scholar] [CrossRef][Green Version]
  158. Snyder, H. Literature review as a research methodology: An overview and guidelines. J. Bus. Res. 2019, 104, 333–339. [Google Scholar] [CrossRef]
  159. Carrasco-Garrido, C.; De-Pablos-Heredero, C.; Rodríguez-Sánchez, J.L. Exploring hybrid telework: A bibliometric analysis. Heliyon 2023, 9, e22472. [Google Scholar] [CrossRef]
  160. Mongeon, P.; Paul-Hus, A. The journal coverage of Web of Science and Scopus: A comparative analysis. Scientometrics 2016, 106, 213–228. [Google Scholar] [CrossRef]
  161. Falagas, M.E.; Pitsouni, E.I.; Malietzis, G.A.; Pappas, G. Comparison of PubMed, Scopus, Web of Science, and Google Scholar: Strengths and weaknesses. FASEB J. 2008, 22, 338–342. [Google Scholar] [CrossRef]
  162. Martín-Martín, A.; Orduna-Malea, E.; Thelwall, M.; Delgado López-Cózar, E. Google Scholar, Web of Science, and Scopus: A systematic comparison of citations in 252 subject categories. J. Informetr. 2018, 12, 1160–1177. [Google Scholar] [CrossRef]
  163. Page, M.J.; Moher, D.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. PRISMA 2020 explanation and elaboration: Updated guidance and exemplars for reporting systematic reviews. BMJ 2021, 372, n160. [Google Scholar] [CrossRef]
  164. Haddaway, N.R.; Page, M.J.; Pritchard, C.C.; McGuinness, L.A. PRISMA2020: An R package and Shiny app for producing PRISMA 2020-compliant flow diagrams, with interactivity for optimised digital transparency and Open Synthesis. Campbell Syst. Rev. 2022, 18, e1230. [Google Scholar] [CrossRef]
  165. Zupic, I.; Čater, T. Bibliometric Methods in Management and Organization. Organ. Res. Methods 2015, 18, 429–472. [Google Scholar] [CrossRef]
  166. Falchi de Magalhães, F.L.; Gaspar, M.A.; Luciano, E.M.; Napolitano, D.M.R. Information technology governance: Legitimation, theorization and field trends. Rev. Gest. 2021, 28, 50–65. [Google Scholar] [CrossRef]
  167. Gewald, H.; Wagner, H.T. Using Lessons from the COVID-19 Crisis to Move from Traditional to Adaptive IT Governance. MIS Q. Exec. 2022, 21, 287. [Google Scholar] [CrossRef]
  168. Nazief, B.A.; Yudatama, U.; Hidayanto, A.N. Important factors in information technology governance awareness: An empirical survey of the expert’s opinion in Indonesia. J. Comput. Sci. 2019, 15, 1065–1073. [Google Scholar] [CrossRef]
  169. De Haes, S.; van Grembergen, W. An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment. Inf. Syst. Manag. 2009, 26, 123–137. [Google Scholar] [CrossRef]
  170. Ilmudeen, A. Information technology (IT) governance and IT capability to realize firm performance: Enabling role of agility and innovative capability. Benchmarking 2022, 29, 1137–1161. [Google Scholar] [CrossRef]
  171. Prasad, A.; Green, P.; Heales, J. On IT governance structures and their effectiveness in collaborative organizational structures. Int. J. Account. Inf. Syst. 2012, 13, 199–220. [Google Scholar] [CrossRef]
  172. Yudatama, U.; Hidayanto, A.N.; Nazief, B.A.A. Analysis of benefits and barriers as a critical success factor in IT governance implementation by using interpretive structural model. J. Comput. Sci. 2019, 15, 983–994. [Google Scholar] [CrossRef][Green Version]
  173. Ali, S.; Green, P. Effective information technology (IT) governance mechanisms: An IT outsourcing perspective. Inf. Syst. Front. 2012, 14, 179–193. [Google Scholar] [CrossRef]
  174. Prasad, A.; Heales, J.; Green, P. A capabilities-based approach to obtaining a deeper understanding of information technology governance effectiveness: Evidence from IT steering committees. Int. J. Account. Inf. Syst. 2010, 11, 214–232. [Google Scholar] [CrossRef]
  175. Joshi, A.; Bollen, L.; Hassink, H.; De Haes, S.; Van Grembergen, W. Explaining IT governance disclosure through the constructs of IT governance maturity and IT strategic role. Inf. Manag. 2018, 55, 368–380. [Google Scholar] [CrossRef]
  176. Yudatama, U.; Hidayanto, A.N.; Nazief, B.A.A.; Phusavat, K. Data to model the effect of awareness on the success of IT Governance implementation: A partial least squares structural equation modeling approach (PLS-SEM). Data Brief 2019, 25, 104333. [Google Scholar] [CrossRef]
  177. Prasad, A.; Green, P. Governing cloud computing services: Reconsideration of IT governance structures. Int. J. Account. Inf. Syst. 2015, 19, 45–58. [Google Scholar] [CrossRef]
  178. Anomah, S.; Ayeboafo, B.; Aduamoah, M. An Audit Risk Model for It Audit Ecosystems and Digital Transformation (Dx) Decision Making. Edpacs 2021, 64, 1–33. [Google Scholar] [CrossRef]
  179. Erasmus, W.; Marnewick, C. An IT governance framework for IS portfolio management. Int. J. Manag. Proj. Bus. 2021, 14, 721–742. [Google Scholar] [CrossRef]
  180. Khalid, M.; Khan, R.A.; Khushnood, M.; Aslam, S.; Khattak, Z.Z.; Abbas, S. An Empirical Analysis of the Influence of Project Governance and Information Technology Governance on Project Delay. Glob. Bus. Review. 2022, 2022, 09721509221121179. [Google Scholar] [CrossRef]
  181. Denford, J.S.; Dawson, G.S.; Desouza, K.C. Centralization and Decentralization Decisions: Multiple Contingencies for IT Governance in the Public Sector. AIS Trans. Replication Res. 2021, 7, 21. [Google Scholar]
  182. Mulyana, R.; Rusu, L.; Perjons, E. Key ambidextrous IT governance mechanisms for successful digital transformation: A case study of Bank Rakyat Indonesia (BRI). Digit. Bus. 2024, 4, 100083. [Google Scholar] [CrossRef]
  183. Levstek, A.; Pucihar, A.; Hovelja, T. Towards an Adaptive Strategic IT Governance Model for SMEs. J. Theor. Appl. Electron. Commer. Res. 2022, 17, 230–252. [Google Scholar] [CrossRef]
  184. Brown, W.C. IT governance, architectural competency, and the Vasa. Inf. Manag. Comput. Secur. 2006, 14, 140–154. [Google Scholar] [CrossRef]
  185. Joshi, A.; Benitez, J.; Huygh, T.; Ruiz, L.; De Haes, S. Impact of IT governance process capability on business performance: Theory and empirical evidence. Decis. Support Syst. 2022, 153, 113668. [Google Scholar] [CrossRef]
  186. Simonsson, M.; Johnson, P.; Ekstedt, M. The effect of IT governance maturity on IT governance performance. Inf. Syst. Manag. 2010, 27, 10–24. [Google Scholar] [CrossRef]
  187. Janssen, M.; Joha, A. Understanding IT governance for the operation of shared services in public service networks. Int. J. Netw. Virtual Organ. 2007, 4, 20–34. [Google Scholar] [CrossRef]
  188. Amali, L.N.; Mahmuddin, M.; Ahmad, M. Information technology governance framework in the public sector organizations. Telkomnika 2014, 12, 429–436. [Google Scholar] [CrossRef][Green Version]
  189. Marzullo, F.P.; De Souza, J.M. New directions for IT governance in the Brazilian government. Int. J. Electron. Gov. Res. 2009, 5, 57–69. [Google Scholar] [CrossRef]
  190. Rau, K.G. Effective governance of it: Design objectives, roles, and relationships. Inf. Syst. Manag. 2004, 21, 35–42. [Google Scholar] [CrossRef]
  191. Tonelli, A.O.; de Souza Bermejo, P.H.; Aparecida dos Santos, P.; Zuppo, L.; Zambalde, A.L. It governance in the public sector: A conceptual model. Inf. Syst. Front. 2017, 19, 593–610. [Google Scholar] [CrossRef]
  192. Buchwald, A.; Urbach, N.; Ahlemann, F. Business value through controlled IT: Toward an integrated model of IT governance success and its impact. J. Inf. Technol. 2014, 29, 128–147. [Google Scholar] [CrossRef]
  193. Valverde-Alulema, F.; Llorens-Largo, F. Rubric for Evaluating the Alignment of the IT Project Portfolio with IT Governance in Universities. DATA BASE Adv. Inf. Syst. 2021, 52, 56–76. [Google Scholar] [CrossRef]
  194. De Gier, J. IT Governance of Dutch Municipalities and Digital Information Management. New Rev. Inf. Netw. 2018, 23, 36–46. [Google Scholar] [CrossRef]
  195. Maestre-Góngora, G.; Aponte, D. Dataset about information technology governance: A survey in Colombian enterprises. Data Brief 2023, 50, 109480. [Google Scholar] [CrossRef]
  196. Bouayad, H.; Benabbou, L.; Berrado, A. Aligning information technology and supply chain: An approach to map SCOR to COBIT. Int. J. Inf. Syst. Model. Des. 2021, 12, 1–26. [Google Scholar] [CrossRef]
  197. Kude, T.; Lazic, M.; Heinzl, A.; Neff, A. Achieving IT-based synergies through regulation-oriented and consensus-oriented IT governance capabilities. Inf. Syst. J. 2018, 28, 765–795. [Google Scholar] [CrossRef]
  198. Martins, L.M.; Moura, A.; da Cunha, P.R.; Figueiredo, A.D. Selecting and ranking IT governance practices for electric utilities. 16th Americas Conference on Information Systems 2010. AMCIS 2010, 5, 3140–3151. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84870326569&partnerID=40&md5=ae15f724043c4f05a3152334e585d7c1 (accessed on 1 June 2025).
  199. Simonsson, M.; Johnson, P.; Ekstedt, M.; Flores, W.R. It governance decision support using the it organization modeling and assesment tool. Int. J. Innov. Technol. Manag. 2011, 8, 167–189. [Google Scholar] [CrossRef]
  200. Furstenau, D.; Rothe, H.; Sandner, M. Shadow systems, risk, and shifting power relations in organizations. Commun. Assoc. Inf. Syst. 2017, 41, 43–61. [Google Scholar] [CrossRef]
  201. Turel, O.; Liu, P.; Bart, C. Board-Level Information Technology Governance Effects on Organizational Performance: The Roles of Strategic Alignment and Authoritarian Governance Style. Inf. Syst. Manag. 2017, 34, 117–136. [Google Scholar] [CrossRef]
  202. Zhang, P.; Zhao, K.; Kumar, R.L. Impact of IT Governance and IT Capability on Firm Performance. Inf. Syst. Manag. 2016, 33, 357–373. [Google Scholar] [CrossRef]
  203. Jewer, J.; McKay, K.N. Antecedents and consequences of board IT governance: Institutional and strategic choice perspectives. J. Assoc. Inf. Syst. 2012, 13, 581–617. [Google Scholar] [CrossRef]
  204. Ako-Nai, A.; Singh, A.M. Information technology governance framework for improving organisational performance. S. Afr. J. Inf. Manag. 2019, 21, 1–11. [Google Scholar] [CrossRef]
  205. Benaroch, M.; Chernobai, A. Operational it failures, it value destruction, and board-level it governance changes. MIS Q. Manag. Inf. Syst. 2017, 41, 729–762. [Google Scholar] [CrossRef]
  206. Nolan, R.; McFarlan, F.W. Information technology and the board of directors. Harv. Bus. Rev. 2005, 83, 96–106+157. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-27144549861&partnerID=40&md5=0885c30ff5ad6a51badbcc6cd775dd2d (accessed on 1 June 2025).
  207. Al-Sartawi, A.M.A.M. Information technology governance and cybersecurity at the board level. Int. J. Crit. Infrastruct. 2020, 16, 150–161. [Google Scholar] [CrossRef]
  208. Hamdan, A.; Khamis, R.; Anasweh, M.; Al-Hashimi, M.; Razzaque, A. IT Governance and Firm Performance: Empirical Study from Saudi Arabia. Sage Open 2019, 9, 2158244019843721. [Google Scholar] [CrossRef]
  209. Jewer, J.; McKay, K.N. Unpacking Board-Level IT Competency. Commun. Assoc. Inf. Syst. 2025, 56, 33. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-105001965555&partnerID=40&md5=236b4624cc4681c583e3425159628408 (accessed on 1 June 2025). [CrossRef]
  210. Mohamad, S.; Hendrick, M.; O’Leary, C.; Best, P. Developing a model to evaluate the information technology competence of boards of directors. Corp. Ownersh. Control 2014, 12, 64–74. [Google Scholar] [CrossRef]
  211. Mohamad, S.; O’Leary, C.; Best, P. Assessing it competences of boards of directors: Perceptions of Malaysian CIOs. Corp. Ownersh. Control 2015, 12, 196–205. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84924283148&partnerID=40&md5=97dd720b8c7ffde2575695161f065236 (accessed on 1 June 2025). [CrossRef]
  212. Ilmudeen, A. IT Governance mechanism and IT-enabled dynamic capabilities drives firm performance: An empirical study in Sri Lanka. Inf. Dev. 2024, 40, 3–19. [Google Scholar] [CrossRef]
  213. Menshawy, I.M.; Basiruddin, R.; Mohdali, R.; Qahatan, N. Board Information Technology Governance Mechanisms and Firm Performance among Iraqi Medium-Sized Enterprises: Do IT Capabilities Matter? J. Risk Financ. Manag. 2022, 15, 72. [Google Scholar] [CrossRef]
  214. Turel, O.; Liu, P.; Bart, C. Is board IT governance a silver bullet? A capability complementarity and shaping view. Int. J. Account. Inf. Syst. 2019, 33, 32–46. [Google Scholar] [CrossRef]
  215. Kozlica, A. Board Information Technology Governance and Business Agility: An Empirical Analysis Among Bosnian Enterprises. Int. J. E-Serv. Mob. Appl. 2021, 13, 28–49. [Google Scholar] [CrossRef]
  216. Lowry, M.R.; Lowry, P.B.; Chatterjee, S.; Moody, G.D.; Richardson, V.J. Achieving strategic alignment between business and information technology with information technology governance: The role of commitment to principles and Top Leadership Support. Eur. J. Inf. Syst. 2024, 34, 610–635. [Google Scholar] [CrossRef]
  217. Alreemy, Z.; Chang, V.; Walters, R.; Wills, G. Critical success factors (CSFs) for information technology governance (ITG). Int. J. Inf. Manag. 2016, 36, 907–916. [Google Scholar] [CrossRef]
  218. Sohal, A.S.; Fitzpatrick, P. IT governance and management in large Australian organisations. Int. J. Prod. Econ. 2002, 75, 97–112. [Google Scholar] [CrossRef]
  219. Yaw Han, C.; Chi, L.L.; Ping, Y. Study on correlation between critical successful factors of IT governance and governance performance. J. Converg. Inf. Technol. 2011, 6, 329–338. [Google Scholar] [CrossRef][Green Version]
  220. Chi, M.; Zhao, J.; George, J.F.; Li, Y.; Zhai, S. The influence of inter-firm IT governance strategies on relational performance: The moderation effect of information technology ambidexterity. Int. J. Inf. Manag. 2017, 37, 43–53. [Google Scholar] [CrossRef]
  221. Gregory, R.W.; Kaganer, E.; Henfridsson, O.; Ruch, T.J. It consumerization and the transformation of it governance. MIS Q. Manag. Inf. Syst. 2018, 42, 1225–1253. [Google Scholar] [CrossRef]
  222. Zuo, M.; Ma, D.; Yu, Y. Contextual determinants of IT governance mechanism formulation for senior care services in local governments. Int. J. Inf. Manag. 2020, 53, 102125. [Google Scholar] [CrossRef]
  223. Williams, C.K.; Karahanna, E. Causal explanation in the coordinating process: A critical realist case study of federated it governance structures. MIS Q. Manag. Inf. Syst. 2013, 37, 933–964. [Google Scholar] [CrossRef]
  224. Aguilar Alonso, I.; Carrillo Verdún, J.; Tovar Caro, E. Description of the structure of the IT demand management process framework. Int. J. Inf. Manag. 2017, 37, 1461–1473. [Google Scholar] [CrossRef]
  225. Ioniţă, F.D. IT governance–a global approach at company level. Electron. Gov. 2009, 6, 406–420. [Google Scholar] [CrossRef]
  226. Kim, K.W.; Lee, K.Y. ITA functions and IT governance from towards public & private enterprises in Korea: A study for influence factors. J. Sci. Ind. Res. 2014, 73, 16–20. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84892412171&partnerID=40&md5=61238a8cf64c23fe32a1e66138e38627 (accessed on 1 June 2025).
  227. Lin, F.; Chou, S.; Wang, W.K. Is practitioners’ views on core factors of effective IT governance for Taiwan SMEs. Int. J. Technol. Manag. 2011, 54, 252–269. [Google Scholar] [CrossRef]
  228. Awwad, M.S.; Al Omoush, K.S. Governance of information technology-business relationship quality and performance outcomes. Electron. Gov. 2012, 9, 350–369. [Google Scholar] [CrossRef]
  229. Price, J.B.; Lankton, N. A framework and guidelines for assessing and developing board-level information technology committee charters. J. Inf. Syst. 2018, 32, 109–129. [Google Scholar] [CrossRef]
  230. Qahatan, N.; Basiruddin, R.; Mohdali, R.; Samuel, A.B.; Khlifa, H. Board-level competency and firm performance in the information age. Int. J. Innov. Creat. Change 2020, 13, 1171–1189. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85087082460&partnerID=40&md5=6634897f95576c60d1895948cd7aa37d (accessed on 1 June 2025).
  231. Bart, C.; Turel, O. The role of the board in IT governance: Current and desired oversight practices. Int. J. Bus. Gov. Ethics 2009, 4, 316–329. [Google Scholar] [CrossRef]
  232. Bart, C.; Turel, O. IT and the board of directors: An empirical investigation into the “Governance questions” Canadian board members ask about IT. J. Inf. Syst. 2010, 24, 147–172. [Google Scholar] [CrossRef]
  233. Cheng, R.C.N.; Men, X.; Hsieh, J.J.P.A.; Cheng, Z.J.; Cui, X.; Wang, T.; Hsu, S.H. The effects of IT chargeback on strategic alignment and performance: The contingent roles of business executives’ IT competence and CIOs’ business competence. Internet Res. 2023, 33, 57–83. [Google Scholar] [CrossRef]
  234. Ko, D.; Fink, D. Information technology governance: An evaluation of the theory-practice gap. Corp. Gov. 2010, 10, 662–674. [Google Scholar] [CrossRef]
  235. Posthumus, S.; Von Solms, R.; King, M. The board and IT governance: The what, who and how. S. Afr. J. Bus. Manag. 2010, 41, 23–32. [Google Scholar] [CrossRef]
  236. Tang, Z.; Meng, J.; Wu, Y. The core components and conceptual framework of IT governance based on quantitative content analysis. Int. J. Digit. Content Technol. Its Appl. 2012, 6, 196–204. [Google Scholar] [CrossRef]
  237. Turel, O.; Liu, P.; Bart, C. Board-Level IT Governance. IT Prof. 2019, 21, 58–65. [Google Scholar] [CrossRef]
  238. Dutta, A.; Roy, R.; Seetharaman, P. An assimilation maturity model for IT governance and auditing. Inf. Manag. 2022, 59, 103569. [Google Scholar] [CrossRef]
  239. Kosasi, S.; Yuliani, I.D.A.E. Impacts of IT governance in expanding market shares of online stores. Int. J. Adv. Trends Comput. Sci. Eng. 2019, 8, 339–346. [Google Scholar] [CrossRef]
  240. Tambotoh, J.J.C.; Latuperissa, R. It governance self assessment application for e-Government implementation in Indonesia. J. Theor. Appl. Inf. Technol. 2015, 71, 122–128. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84920948480&partnerID=40&md5=44dd519595867451f20d765d3b2f1d47 (accessed on 1 June 2025).
  241. Héroux, S.; Fortin, A. The internal audit function in information technology governance: A holistic perspective. J. Inf. Syst. 2013, 27, 189–217. [Google Scholar] [CrossRef]
  242. Juiz, C.; Duhamel, F.; Gutiérrez-Martínez, I.; Luna-Reyes, L.F. IT Managers’ Framing of IT Governance Roles and Responsibilities in Ibero-American Higher Education Institutions. Informatics 2022, 9, 68. [Google Scholar] [CrossRef]
  243. Wilkin, C.L.; Campbell, J.; Moore, S. Creating value through governing IT deployment in a public/private-sector inter-organisational context: A human agency perspective. Eur. J. Inf. Syst. 2013, 22, 498–511. [Google Scholar] [CrossRef]
  244. Zarvić, N.; Stolze, C.; Boehm, M.; Thomas, O. Dependency-based IT Governance practices in inter-organisational collaborations: A graph-driven elaboration. Int. J. Inf. Manag. 2012, 32, 541–549. [Google Scholar] [CrossRef]
  245. Ajayi, B.A.; Hussin, H. Conceptualizing Information Technology Governance Model for Higher Education: An Absorptive Capacity Approach. Bull. Electr. Eng. Inform. 2018, 7, 117–124. [Google Scholar] [CrossRef]
  246. Hammami, S.; Durrah, O.; Jamil, S.A.; Eltigani, M. Engaging Knowledge Capabilities to Sustain the Application of Information Technology Governance in Healthcare Institutions. Sage Open 2022, 12, 21582440221132783. [Google Scholar] [CrossRef]
  247. De Maere, K.; De Haes, S.; von Kutzchenbach, M.; Huygh, T. Identifying the Enablers and Inhibitors of Organizational Learning in the Context of IT Governance: An Exploratory Delphi Study. Inf. Syst. Manag. 2022, 39, 241–268. [Google Scholar] [CrossRef]
  248. Al-Talhi, A.H.; Al-Ghamdi, A.A.M. IT governance: Performance and risk management evaluation in higher education. Information 2014, 17, 6355–6369. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84924598473&partnerID=40&md5=0605e1cc4fd54499876970fb5a2488c1 (accessed on 1 June 2025).
  249. Luna-Reyes, L.; Juiz, C.; Gutierrez-Martinez, I.; Duhamel, F.B. Exploring the relationships between dynamic capabilities and IT governance: Implications for local governments. Transform. Gov. People Process Policy 2020, 14, 149–169. [Google Scholar] [CrossRef]
  250. Alaqla, M.F. The Impact of It Governance and Administrative Information Quality on Decision-Making in the Banking Sector. Corp. Gov. Organ. Behav. Rev. 2023, 7, 171–182. [Google Scholar] [CrossRef]
  251. Dong, S. Decision execution mechanisms of IT governance: The CRM case. Int. J. Inf. Manag. 2012, 32, 147–157. [Google Scholar] [CrossRef]
  252. Gui, A.; Jasmi, M.F.A.; Shahudin, F.; Jonathan, K. Do Market Capabilities and Strategic Alliances Impact It Business Performance? J. Theor. Appl. Inf. Technol. 2022, 100, 2617–2629. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85130709386&partnerID=40&md5=b7e435bc0f3b1a242820dddea82fd212 (accessed on 1 June 2025).
  253. Liew, C.W.; Hamid, N.A.A. The influences on the status of information technology governance implementations in Malaysia’s technical universities. J. Sci. Technol. Policy Manag. 2024, 16, 1199–1223. [Google Scholar] [CrossRef]
  254. Edirisinghe Vincent, N.; Pinsker, R. IT risk management: Interrelationships based on strategy implementation. Int. J. Account. Inf. Manag. 2020, 28, 553–575. [Google Scholar] [CrossRef]
  255. Arshad, Y.; Ahlan, A.R.; Ajayi, B.A. Intelligent IT governance decision-making support framework for a developing country’s public university. Intell. Decis. Technol. 2014, 8, 131–146. [Google Scholar] [CrossRef]
  256. Magnusson, J.; Koutsikouri, D.; Päivärinta, T. Efficiency creep and shadow innovation: Enacting ambidextrous IT Governance in the public sector. Eur. J. Inf. Syst. 2020, 29, 329–349. [Google Scholar] [CrossRef]
  257. Hiekkanen, K.; Pekkala, A.; Collin, J. Improving strategic alignment: A case study. Inf. Resour. Manag. J. 2015, 28, 19–37. [Google Scholar] [CrossRef]
  258. Mangundu, J. Exploring Factors Impacting Information Technology Governance Implementation Maturity in Institutions of Higher Education, South Africa: Application of the Will-Skill-Tool Model. Afr. J. Inf. Syst. 2024, 16, 1. [Google Scholar]
  259. Al-Taee, S.H.H.; Flayyih, H.H. Impact of the Electronic Internal Auditing Based on It Governance to Reduce Auditing Risk. Corp. Gov. Organ. Behav. Rev. 2023, 7, 94–100. [Google Scholar] [CrossRef]
  260. Alsaleem, E.A.; Husin, N.M. The Impact of Information Technology Governance Under Cobit-5 Framework on Reducing the Audit Risk in Jordanian Companies. Int. J. Prof. Bus. Rev. 2023, 8, 4. [Google Scholar] [CrossRef]
  261. Alsaleem, E.A.; Husin, N.M. It Governance and Audit Risk in Jordanian Companies: The Moderating Role of Audit Quality. Rev. Gest. Soc. Ambient. 2024, 18, 1–16. [Google Scholar] [CrossRef]
  262. Sahd, L.M.; Rudman, R. Mobile technology risk management. J. Appl. Bus. Res. 2016, 32, 1079–1096. [Google Scholar] [CrossRef][Green Version]
  263. Al-Farsi, K.; El Haddadeh, R. Framing information technology governance in the public sector: Opportunities and challenges. Int. J. Electron. Gov. Res. 2015, 11, 89–101. [Google Scholar] [CrossRef]
  264. Ali, A.; Nisar, A. Exploration of IT Governance Practices and their Effect on Strategic Projects’ Outcomes in Public Sector Organizations of Pakistan. Int. J. Comput. Sci. Netw. Secur. 2016, 16, 10–19. [Google Scholar]
  265. Jaafar, N.I.; Jordan, E. An exploratory case study of governance practices for information technology (IT) projects in a government-linked company. Afr. J. Bus. Manag. 2011, 5, 10667–10706. [Google Scholar] [CrossRef]
  266. Shokouhyar, S.; Zarrin, S.; Shokoohyar, S. Analysing the impact of IT governance on the performance of project-based organisations. Int. J. Bus. Syst. Res. 2020, 14, 411–433. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85085333639&partnerID=40&md5=0f58a0ef0a652e39a960fccc30ba11e9 (accessed on 1 June 2025). [CrossRef]
  267. Adrian, F.X.; Wang, G. Measure the Level Capability it Governance in Effectiveness Internal Control for Cybersecurity Using the Cobit 2019 in Organization: Banking Company. J. Theor. Appl. Inf. Technol. 2023, 101, 1710–1723. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85152934238&partnerID=40&md5=a5f6f14737f902c6d9b046735ba831b3 (accessed on 1 June 2025).
  268. Alulema, F.X.V.; Llorens, F. Alignment of the portfolio of it projects with the it governance in spanish universities. TECHNO Rev. Int. Technol. Sci. Soc. Rev./Rev. Int. De Tecnol. Cienc. Soc. 2021, 10, 111–131. [Google Scholar] [CrossRef]
  269. Bimantoro, A.S.; Jayadi, R. IT Governance Measurement using COBIT 5 for Evaluating IT Project Management Aspect: Case Study of Insurance Company. J. Syst. Manag. Sci. 2022, 12, 315–333. [Google Scholar] [CrossRef]
  270. Patterson, M. A structured approach to strategic alignment between business and information technology objectives. S. Afr. J. Bus. Manag. 2020, 51, 1–12. [Google Scholar] [CrossRef]
  271. Hamid, Z.A.; Sulaiman, H. COBIT benchmarking of system development governance for a government agency in Malaysia. J. Theor. Appl. Inf. Technol. 2016, 89, 1–10. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84978730225&partnerID=40&md5=8f2b3cd2b4ab7af6e0d6f0590fdce219 (accessed on 1 June 2025).
  272. Maseko, L.; Marx, B. An analysis of cobit 5 as a framework for the implementation of it governance with reference to King III. Risk Gov. Control Financ. Mark. Inst. 2016, 6, 20–34. [Google Scholar] [CrossRef]
  273. Putri, M.A.; Aknuranda, I.; Mahmudy, W.F. Development of a conceptual framework to determine improvement of IT governance using COBIT 5 and AHP-GA. J. Telecommun. Electron. Comput. Eng. 2017, 9, 43–49. Available online: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85032814056&partnerID=40&md5=8b128eacadca76860f5b38668a100ed6 (accessed on 1 June 2025).
  274. Henriques, D.; Almeida, R.; Pereira, R.; da Silva, M.M.; Bianchi, I.S. How IT governance can assist iot project implementation. Int. J. Inf. Syst. Proj. Manag. 2020, 8, 25–45. [Google Scholar] [CrossRef]
Computers 14 00520 g001
Figure 1. PRISMA flow diagram.
Figure 1. PRISMA flow diagram.
Computers 14 00520 g001
Computers 14 00520 g002
Figure 2. Historical evolution of publications. (1999–2025/May).
Figure 2. Historical evolution of publications. (1999–2025/May).
Computers 14 00520 g002
Computers 14 00520 g003
Figure 3. Strategic diagram.
Figure 3. Strategic diagram.
Computers 14 00520 g003
Computers 14 00520 g004
Figure 4. Thematic diagram of resource allocation.
Figure 4. Thematic diagram of resource allocation.
Computers 14 00520 g004
Computers 14 00520 g005
Figure 5. Thematic diagram of industrial management.
Figure 5. Thematic diagram of industrial management.
Computers 14 00520 g005
Computers 14 00520 g006
Figure 6. Thematic diagram of Strategic Alignment.
Figure 6. Thematic diagram of Strategic Alignment.
Computers 14 00520 g006
Computers 14 00520 g007
Figure 7. Thematic diagram of Boards of Directors.
Figure 7. Thematic diagram of Boards of Directors.
Computers 14 00520 g007
Computers 14 00520 g008
Figure 8. Thematic diagram of Information Management.
Figure 8. Thematic diagram of Information Management.
Computers 14 00520 g008
Computers 14 00520 g009
Figure 9. Thematic diagram of It Function.
Figure 9. Thematic diagram of It Function.
Computers 14 00520 g009
Computers 14 00520 g010
Figure 10. Thematic diagram of Laws and Legislation.
Figure 10. Thematic diagram of Laws and Legislation.
Computers 14 00520 g010
Computers 14 00520 g011
Figure 11. VOSviewer diagram.
Figure 11. VOSviewer diagram.
Computers 14 00520 g011
Table 2. Most active journals.
Table 2. Most active journals.
JournalNumber of Publications
Information Systems Management17
Journal of Information Systems13
International Journal of Accounting Information Systems12
Journal of Theoretical and Applied Information Technology10
European Journal of Information Systems9
International Journal of Advanced Computer Science and Applications (IJACSA)8
Management Information Systems Quarterly8
Table 3. Countries with the highest contributions.
Table 3. Countries with the highest contributions.
CountryNumber of Publications
United States58
Indonesia37
Australia26
Malaysia20
South Africa17
Brazil14
Canada14
China13
Belgium11
Germany10
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Vaya-Arboledas, Á.; Ferrer-Oliva, M.; Medina-Merodio, J.A. Evolution and Perspectives in IT Governance: A Systematic Literature Review. Computers 2025, 14, 520. https://doi.org/10.3390/computers14120520

AMA Style

Vaya-Arboledas Á, Ferrer-Oliva M, Medina-Merodio JA. Evolution and Perspectives in IT Governance: A Systematic Literature Review. Computers. 2025; 14(12):520. https://doi.org/10.3390/computers14120520

Chicago/Turabian Style

Vaya-Arboledas, Álvaro, Mikel Ferrer-Oliva, and José Amelio Medina-Merodio. 2025. "Evolution and Perspectives in IT Governance: A Systematic Literature Review" Computers 14, no. 12: 520. https://doi.org/10.3390/computers14120520

APA Style

Vaya-Arboledas, Á., Ferrer-Oliva, M., & Medina-Merodio, J. A. (2025). Evolution and Perspectives in IT Governance: A Systematic Literature Review. Computers, 14(12), 520. https://doi.org/10.3390/computers14120520

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop