• Marcia Cristina Machado Nove de Julho University
  • Flavio Hourneaux Junior University of São Paulo; School of Economics, Bussiness Administration and Accounting
  • Fernanda Aparecida Sobral Nove de Julho University
Keywords: Information technology (IT), Sustainable IT, COBIT maturity models, sustainability indicators, Global Reporting Initiative


Parallel to the development of technology in its different fronts and particularly about the various applications of Information Technology (IT), another trend that has been consolidated in organizations is the search for sustainability. There are initiatives such as Green IT, Sustainable IT, and Green software that combine these two elements (IT and sustainability). In this context, this study aims to identify the presence of sustainability aspects in the COBIT (Control Objectives for Information and Related Technologies) model of IT management. Thus, this article seeks to verify if and how versions 4.1 and 5 of the COBIT model-which guide IT managers in the alignment of technical activities with the organization's strategy-are related to sustainability, through the use of sustainability indicators defined by the Global Reporting Initiative (GRI) as a representative proxy of sustainability aspects necessary for the user organization of the model. This exploratory research makes use of documental research and presents the following main results: (1) partial alignment of the COBIT model with the generic categories of the GRI, especially the governance category; and (2) it highlights the small relation of this model with broader environmental and social aspects in the same way that it presents relationship limitations with economic aspects evaluated by the GRI.


Download data is not yet available.
How to Cite
Machado, M., Hourneaux Junior, F., & Sobral, F. (2017). SUSTAINABILITY IN INFORMATION TECHNOLOGY: AN ANALYSIS OF THE ASPECTS CONSIDERED IN THE MODEL COBIT. JISTEM - Journal of Information Systems and Technology Management (Online), 14(1), 88-110.


According to a study conducted in the 2012/2013 biennium by the Brazilian Association of Information Technology and Communication Companies (BRASSCOM), the Information Technology (IT) sector represents 5.2% of Brazil’s GDP, with a turnover of US$ 123 billion in 2012, emerging as among the 10 largest global markets ( BRASSCOM, 2014). These figures reflect, according to the publication, organizations’ search for greater efficiency with the use of technology as an enabling tool for increasing productivity and improving company performance.

In line with the continuous increase in the use of technology power consumption is also expected to increase. Due to the increase in tariff rates related to foreseen energy consumption, the Brazilian market has been concerned with the reduction of electricity costs. With these circumstances and as the IT sector acquires maturity, the demand for energy efficient equipment gains notoriety ( Canaltech, 2015). It is in this context that the so-called Green IT gains prominence, defined as information technology that encompasses environmentally friendly infrastructure, hardware, and software from production to the application of environmental standards in product lifecycle assessment and disposal ( Bose & Luo, 2012; Murugesan, 2008).

Initial research on Green IT has focused on energy efficiency and data center infrastructure, though little attention has been given to the disposal of equipment ( Chauhan & Saxena, 2013; Murugesan, 2008) and energy efficiency from the perspective of software development ( Chauhan & Saxena, 2013). So-called Green Software, another important element in this issue, refers to the process of software production that directly or indirectly reduces negative impacts on the economy, society, and human and environmental well-being, having a positive effect on sustainable development ( Rashid & Khan, 2014).

Another concept similar to Green IT and Green Software is Sustainable IT, which is characterized by the application of IT practices and technologies for the benefit of customers and others stakeholders that ensure long-term well-being in economic, social, and environmental sustainability pillars ( Harmon, Demirkan, Auseklis, & Reinoso, 2010).

Thus, the following research question arises: how to identify and measure the impact of activities in IT from a sustainability perspective? In general, traditional IT performance metrics have not been very precise and have the main challenge of communicating their results in a manner that executives understand. This approach requires, in addition to already consolidated financial and quality metrics, the incorporation of other analysis methods ( Ferreira & Ramos, 2005).

The task can become even more complex when introducing a sustainability perspective to IT performance metrics. Sustainability indicators have the function of making clear to stakeholders the connections and changes in social, environmental, and economic values, aiming to monitor and validate actions taken in the long term ( OECD, 2010). Among the standards of internationally recognized sustainability indicators is the GRI (Global Reporting Initiative) ( Campos et al., 2013)( Campos et al., 2013)whose main goal is to elevate the use of sustainability reporting to the same level of understanding and acceptance as financial reporting ( Willis, 2003).

Thus, this study aims to identify the presence of sustainability aspects in IT management models through the use of sustainability indicators defined in the GRI. We intend to contribute to the discussion on the use of sustainable IT metrics, based on the development of Green Software in software companies in Brazil.

According to the Brazilian Association of Software Companies (ABES), 13,950 companies were identified as operating in the IT segment in 2016, of which 4,408 are dedicated to software development and production. The size of Brazilian IT companies equates to 49,21% micro, 45,89% small, 3,95% medium-sized, and 0,95% large, respectively ( ABES, 2016). According to these figures, any attempt of making IT and sustainability closer in Brazilian scenario would benefit a large number of stakeholders.

This investigation will make use of documental research, via textual analysis of maturity models that present criteria and requirements to improve processes in IT ( Becker, Knackstedt, & Pöppelbuß, 2009). These are embedded in COBIT (Control Objectives for Information and Related Technologies) 4.1 and COBIT 5 standards - whose objectives are related to the management and control of IT practices, seeking strategic IT alignment with business and maximizing their return - as well as the indicators set by the development guidelines related to sustainability in version G4 of the GRI.

The study is divided into five sections. After this introduction, the next section discusses the concepts, COBIT models, and relevant papers on the research subject. The third section describes the methodological aspects of the research. The following section presents the main results and analysis and, finally, the paper ends with conclusions and recommendations that emerge.



Maturity models are applied in IT as mechanisms to assist managers in monitoring the activities of technical teams to standardize and maintain the quality of information generated and stored in the computer systems of companies, as well as being an important tool of IT governance.

The standardization of processes developed in IT tend to improve reliability, predictability, agility, and increase flexibility in software development and/or computer systems ( Debreceny & Gray, 2013) in the same way that the management of technology resources allied to corporate strategy found support in maturity models that arose from the need to incorporate IT in corporate governance ( Mangalaraj, Singh, & Taneja, 2014).

Among the various maturity models used in the IT field, the Capability Maturity Model (CMM) and COBIT model stand out. The CMM was developed by the Software Engineering Institute of Carnegie Mellon University, with its first version being published in 1995. This set of metrics, similar to the plan-do-check-act (PDCA) cycle, was developed to provide companies dedicated to developing software mechanisms to improve the quality of their products and maintain rigor in deadlines and costs agreed with customers( Team, 2010).

The COBIT model was created at the end of the 1990s by the IT Governance Institute ( Klumb & Azevedo, 2014; Luciano & Testa, 2011). Its goal is related to the control of IT practices rather than their execution, with the most important aspects providing strategic alignment of IT to business in order to maximize returns, ensuring that IT resources are used sparingly and that risks associated with IT are mitigated ( Klumb & Azevedo, 2014; Luciano & Testa, 2011). This practice is done to improve the quality of products and services, the suitability of resource use and investments, and compliance with organizational governance requirements ( ITGI, 2007). The model is further subdivided into three models: processes, governance, and maturity (Luciano & Testa, 2011).

COBIT 4.1 promotes the control, management, and delivery of IT services through 34 processes across four domains. COBIT 5 features a more comprehensive approach, since it addresses governance and IT management, starting with strategic IT planning, and follows the entire course of development of the area’s daily activities ( Debreceny & Gray, 2013). In its structure, COBIT 5 presents tools for IT management; performance indicators that help identify faults; critical points in processes as well as mechanisms to mitigate them; and processes to support strategic IT alignment with businesses or customers, adding a holistic approach that brings together the various components of IT management and governance systems, which seek adherence to business and meet the requests of stakeholders ( ITGI, 2012).

COBIT 5 defines 17 generic goals, including a relationship with Balanced Scorecard (BSC) (Kaplan & Norton, 1997) dimensions, corporate objectives, and IT governance objectives, which support the realization of benefits, risk optimization, and resource optimization ( Moeller, Erek, Loeser, & Zarnekow, 2013).


The use of the term “sustainable development” first appeared in the Brundtland Commission Report that introduced the concept in the document Our Common Future, from the WCDE (World Commission on Environment and Development) (WCED, 1987). This report defined a new development paradigm that aimed to "meet the needs of the present without compromising the ability of future generations to meet their own needs".

Thus, concern for the environment occupies more and more space in society and has led to greater pressure on companies to abide by environmental standards and criteria, resulting in higher production costs and, potentially, reduced competitiveness and value. Due to this scenario, investment in sustainable actions could be considered an onerous expense instead of a business opportunity ( Porter & Van der Linde, 1995; Hart & Milstein, 2003).

In a corporate environment, a company is considered to be sustainable when it promotes gains in its three pillars: economic, environmental, and social. This approach is denominated the Triple Bottom Line (TBL) (Elkington, 1997). This new way of measuring company results relates to strategies associated with sustainability, which directly impact cost reductions via pollution control and the use of clean technologies; they improve reputation through product lifecycle and management; and generate new business opportunities due to the creation of new technologies or focus on unexploited markets ( Hart, 1995, 1997).

Sustainable IT incorporates Green IT requirements and product lifecycle guidelines and equipment policies that make up technology environments, namely: hardware, software, telecommunications, and people ( Standing & Jackson, 2007).

Although the definition of Green IT is associated with the issue of data centers and energy efficiency ( Bener, Morisio, & Miranskyy, 2014; Bose & Luo, 2011; Alemayehu Molla, Cooper, & Pittayachawan, 2009). Murugesan (2008) states that his concept is also related to the design, manufacture, use, and disposal of IT equipment to improve performance and system use while ensuring economic viability, maintained by social and business ethical responsibilities.

Green IT practices differ from other IT practices because of their commitment to environmental impacts, even if economic benefits are not achieved in the short term. Its importance is given by its potential in achieving corporate environmental goals ( Molla, 2009). Lunardi et al. (2014) consider it to be related to Green IT practices such as awareness, green data centers, disposal, and recycling, use of alternative energy sources, equipment or hardware, printing and software. Software does not directly appropriate resources, but the equipment on which it depends does, contributing to increases in carbon dioxide (CO2) emissions ( Taina, 2010). Thus, software can be considered green when the environmental impact of its use is reduced regarding energy consumption and CO2 emissions ( Bener et al., 2014; Taina, 2010).

The Green Software model, proposed by Naumann et al. (2011), comprises of the software lifecycle, sustainability criteria, product metrics, procedures for stakeholders, stock recommendations, and tools that support environmentally friendly sustainable development, acquisition, supply, and use ( Naumann, Dick, Kern, & Johann, 2011).

However, IT also has the potential to develop sustainable capabilities in its social axis ( Dao, Langella, & Carbo, 2011). The concept of Sustainable IT aimed to broaden this focus. It is defined by the use of Green IT practices, adding value to customers, stakeholders, and society to provide long-term benefits in economic, social, and environmental pillars ( Harmon et al., 2010).


Companies use indicators to achieve goals and monitor their progress. According to the Organization for Economic Co-operation and Development ( OECD, 2010), indicators are usually applied to raise awareness and understanding of current business conditions, assist decision making, and measure progress made in achieving pre-set targets. Thus, sustainability indicators have been developed at global, regional, and local levels ( OECD, 2010). Their function is to disseminate to policymakers and the general public the links between economic, social, and environmental values, validating the implications of long-term decisions and the monitoring of progress. These aim at the development of sustainable goals through the definition of conditions and trends ( OECD, 2010).

In this sense, sustainability indicators must cover economic, social, and sustainable aspects of human activities ( Hueting & Reijnders, 2004). Levett (1998) states that sustainability indicators should be politically relevant, resonant, as well as scientifically valid and measurable, that is, obtaining information must be viable.

The context of information is a necessary factor for the interpretation of indicators, ensuring their reliability. Another factor to be considered, and avoided, is having too much emphasis on one isolated indicator, which may cause distortion in the policy to be conducted ( Levett, 1998).

Keeble et al. (2003) state that companies are aligning their activities with sustainable development principles because investors seek evidence of good corporate governances and transparency; society and government are pressuring companies for disclosure of social and environmental performance; customers are concerned with the origin of products and their lifecycle; and employees seek to work in companies that visibly account for their societal responsibility.

The indicators must reflect the reality of business, values, and organizational culture, as well as how growth should be dictated by methods and standards. In this context, internationally recognized standards have the potential to report the progress of development through indicators assigned to this goal. Among the recognized standards are those found in the GRI, The Global Compact, the Sullivan Principles, ICC (International Chamber of Commerce) Business Charter for Sustainable Development and the WBCSD (World Business Council for Sustainable Development) Eco-Efficiency Metrics ( Keeble et al., 2003).

However, the evolution of sustainability reports follows market trends, with various companies adapting the model established by the GRI ( Campos et al., 2013). The GRI is a non-governmental and non-profit organization established in 1997 by the CERES (Coalition for Environmentally Responsible Economies) and the UNEP (United Nations Environmental Program) ( Campos et al., 2013; Levy, Szejnwald Brown, & de Jong, 2010; Willis, 2003).

The aim of the GRI is to build a voluntary disclosure framework to increase the dissemination of sustainable targets to a level similar to financial reporting regarding accuracy, comparison, auditing, and moral acceptance ( Willis, 2003). To achieve its objective, the GRI regularly publishes updated guidelines for the preparation of sustainability reports ( Dingwerth & Eichinger, 2010). These guidelines are stipulated by a complex multi-stakeholder process involving business, civil society organizations, workers, consultants, academics, government officials, and intergovernmental bodies ( Dingwerth & Eichinger, 2010).

The first draft of the guidelines, called G1, was created in 1999. Its second improved version, G2, was published in 2002 and in 2006 the third generation, known as G3, was released ( Brown, De Jong, & Lessidrenska, 2009; Campos et al., 2013). The G3 framework consists of disclosure principles and performance indicators ( Dingwerth & Eichinger, 2010). The disclosure principles are set out in the content of the report and provide a guide for their development within the report’s limits. Performance indicators specify aspects of organizational activities and impacts to be covered. Indicator protocols complement these disclosure principles and indicators, determining how data should be calculated and presented, and additional sections are stipulating industry-specific disclosure requirements ( Dingwerth & Eichinger, 2010).

GRI-G3 guidelines also require an “application level”. Level “A” is granted when reports cover all of the GRI-G3 indicators and important sector supplements, which includes all the managerial approaches to each indicator. Level “B” is awarded to organizations that disseminate a minimum of 20 indicators and their management approaches in different categories of each indicator. Level “C” indicates that a company has covered at least ten indicators, but does not necessarily possess organizational management approaches ( Dingwerth & Eichinger, 2010). In 2011, G3.1 guidelines were published, complementing the G3 model with an increase in performance indicators categorized as economic, environmental, and social ( Campos et al., 2013).

In 2015, the fourth version, GRI-G4, was published, which has five main objectives: to be a user-friendly guide; to improve the technical quality of the guidelines in order to eliminate ambiguities and allow better harmonization with other international guidelines; to improve the guidelines through the inclusion of material issues; and provide guidance for the development of sustainability reports in order to prepare integrated reporting. These objectives aim to ensure greater relevance and credibility, enabling companies to use guidelines for better communication with investors, markets, and society in their strategies and sustainable achievements ( Jones, Comfort, & Hillier, 2015).

The guidelines have contributed to the spread and dissemination of corporate social responsibility through a common language and understanding. However, it has not yet resulted in the generation of comparable data between companies( Levy et al., 2010). Nevertheless, it remains a world reference for non-financial disclosure and has been ratified by some governments, which encourages GRI disclosure and the establishment of standards based on its model ( Dingwerth & Eichinger, 2010). GRI guidelines thus emerge as an important tool for the dissemination of performance and corporate sustainability accounting to stakeholders ( Willis, 2003).


This research is exploratory, with the first step aiming to thoroughly research a topic that has been shyly approached. It, therefore, makes use of documental research, which according to Martins and Theóphilo (2009) is based on the use of documents, differing from the literature by the fact that it studies primary sources.

To comply with the proposed objective, maturity models were selected from COBIT 4.1 and 5, developed by IGT and ISACA /IGT. It guides, via models and procedures, better management and control of IT activities; assists in governance and interaction with business areas; and provides indicators set by guidelines for the preparation of GRI sustainability reporting in its fourth version, G4. The GRI has environmental, social, and economic categories, in addition to strong interactions among corporate management, stakeholders, and the society. The choice of these indicators and models is due to its dissemination and recognition ( Campos et al., 2013; Laurindo, 2008).

To conduct this research, the following was employed: first, there were the requirements recommended by COBIT 4.1 and 5 with the prospect of association with the BSC in its last version. With this information, the recommended GRI-G4 sustainability indicators were analyzed, evaluating their compliance with the requirements raised in COBIT. It was, therefore, necessary to analyze the descriptive content with the aim of identifying adherence, whose achievement proceeded as follows: the component items of the GRI categories (a total of 141 items) were associated with COBIT requirements in both versions. Each item was evaluated by observing the COBIT requirements that would meet the descriptive GRI indications, either directly-the description of the item in the GRI addresses the same subject as the COBIT requirement, or indirectly-the description of the item in the GRI addresses a topic covered by some COBIT requirements.

To accomplish this association, we used relationship analysis that aims to "find key relationships and make connections to various constitutive text elements" ( Lakatos & Marconi, 1991). The set of 34 COBIT requirements (in models 4.1 and 5) were linked to one or more GRI-G4 evaluation items, according to their adhesion percentages, using the scheme:

( g r i c o b i t ) ÷ g r i

Where: Σ gri = all the items of each GRI category.

(Σgri ∋ COBIT) = all the items in each GRI category that are related, directly or indirectly, to the COBIT requirements.

The results are presented in the next section of the paper.


The presentation of the results will follow the same sequence proposed by the GRI-G4 guidelines. It begins with addressing general aspects that include strategy and analysis, organizational profile, material aspects, stakeholder engagement, report profile, governance, ethics and integrity, and information on the form of management, followed by economic, environmental, and social aspects.


As a result of the analyses that were observed for the COBIT maturity model, the indicators proposed by the GRI-G4 guidelines (The complete list of indicators is presented in Appendix 1) have more compliance in the following categories: ethics and integrity, governance, strategy and analysis, and stakeholder engagement. Regarding the TBL dimensions, the social aspects, mainly the subcategories of training and education and products labelling, had a higher adherence in the COBIT model. Low adhesion levels were seen for other aspects, as shown in Table 1.

Table 1.:
Relationship between GRI and COBIT
Relationship between GRI and COBIT
Category GRI GRI items COBIT 4.1 Items % Adherence Items COBIT 5 % Adherence
Strategy and analysis 2 1 50% 1 50%
Organizational profile 14 3 21% 2 14%
Material aspects 7 0 0% 0 0%
Stakeholder engagement 4 1 25% 2 50%
Report profile 6 0 0% 0 0%
Governance 22 13 59% 12 55%
Ethics and integrity 3 3 100% 2 67%
Disclosure of Management Approach 1 0 0% 0 0%
Economic aspects 9 2 22% 2 22%
Environmental aspects 34 0 0% 3 9%
Social aspects 48 5 10% 5 10%

Source: Prepared by the authors.

The result of this analysis is supported by the research conducted by Moeller et al. (2013) where 355 executives and managers in the IT field were interviewed. The study aimed to identify their perceptions of the application of the model as a reference to support sustainable IT management, which showed that environmental and some social aspects are not covered by the maturity model of COBIT 5 ( Moeller et al., 2013).


General aspects of the GRI, that is, strategy and analysis, organizational profile, stakeholder engagement, governance, and ethics and integrity, found strong adherence with COBIT 4.1 and COBIT 5, which can be seen in the percentage of requirements related to these categories, since the maturity model is premised on the management of IT activities and governance IT, as shown in Table 2.

Table 2.:
GRI and COBIT Relationship - General Aspects
STRATEGY AND ANALYSIS G4-1 Descriptive statement by the main decision-maker about the relevance of sustainability to the organization and its sustainability strategy
G4-2 Description of main impacts, risks, and opportunities. PO1, E9, AI6, DS3, DS4, DS6, ME4 EDM01, EDM02, EDM03
ORGANIZATIONAL PROFILE G4-12 Describe the organization of the supply chain AI5, DS1, DS2 APO09, APO10
G4-13 Report any significant changes during the reporting period regarding size, structure, shareholding, organization's supply chain, including:
Changes in the location or the organization's operations, such as opening, closing, or expanding facilities
Changes in share capital structure and other training activities, maintenance, or capital change
Changes in the location of suppliers, the structure of the supply chain, and supplier relationships, including the selection and exclusion process DS1, DS2
G4-14 Report if and how the organization adopts the approach or the precautionary principle AI6, DS6, ME4 EDM03, EDM05, APO12, DSS02
STAKEHOLDER ENGAGEMENT G4-24 Present a list of stakeholders engaged by the organization PO2 EMD01, EDM02, EDM05
G4-26 Report the approach taken by the organization to engage stakeholders, including frequency of engagement by type and group, with an indication that any engagement is specifically promoted as part of the report preparation process. APO02, APO08, APO09, APO10, APO11
GOVERNANCE G4-34 Report the organization's governance structure, including committees of the highest governance body. Identify any committees responsible for advising the board in making decisions that have economic, environmental, and social impacts. PO1, PO6, AI6 EDM01, EDM05, APO01, APO02, APO03
G4-35 Report the process used for the delegation of authority on economic, environmental, and social topics through the highest governance body, senior executives, and other employees. PO4, PO6 APO05, APO07, APO08, BAI01, BAI02
G4-36 Report whether the organization has designated one or more positions and executive level roles that are responsible for economic, environmental, and social issues and those responsible report directly to the highest governance body. PO4 EDM01

Source: Prepared by the authors.

The greatest adherence attributed to aspects of ethics and integrity, governance, strategy and analysis, and stakeholder engagement, according to Laurindo (2008), derive from the fact that the COBIT framework refers to the management of IT resources and internal processes, and their alignment with the business in a way that makes management transparent.


The economic aspects addressed by COBIT 5 include cost management, resource optimization, control of suppliers, contracting services, and ensuring the transparency of the use of resources by stakeholders. Economic relations focused on economic performance and the presence of the company's market as defined by the GRI-G4, do not have a direct relationship with COBIT, given the characteristics and model application objectives in the area of ​​IT, as shown in Table 3.

Table 3.:
GRI and COBIT Relationship - Economic Aspects
ECONOMIC IMPACTS INDIRECT G4-EC7 a. Report the level of development of significant investments in infrastructure and supported services. b. Report the current or expected impacts on communities and local economies. Report important positive and negative impacts. c. Report whether these investments and services are commercial, in kind, or free. PO5 EDM02, APO04, APO05, APO06, APO11, BAI01
PROCUREMENT PRACTICES G4-EC9 a. Report the purchasing budget percentage and contract expenditure of significant operations that are spent with local suppliers (e.g.: percentage of purchased goods and services hired locally). b. Report the geographic definition of "local" adopted by the organization. c. Report the definition used for "major operations". PO5, AI1, AI5, DS1 EDM04, EDM05, APO09, APO10

Source: Prepared by the authors.

About economic aspects of sustainability and their association to the COBIT objectives, they acquire importance due to the need for IT financial measures because, according to Ferreira and Ramos (2005) it is difficult to prepare financial indicators that are easily understood by managers and executives, hindering investment in this area. Furthermore, the analyzed factors are essential to the management of Sustainable IT, considering that the procurement practices and implementation of the COBIT model are fundamental in the analysis of the product lifecycle.


Environmental aspects are only represented in the GRI approach through the use of energy resources, since this is the main impact generated by technology infrastructure maintenance and development activities, which includes facilities and equipment (hardware), systems (applications and operations), and telecommunication resources (networks, the internet, among others). The identified relationships can be seen in Table 4.

Table 4.:
Relationship GRI x COBIT - Environmental Aspects
ENERGY G4-EN4 a. Relate the energy consumed outside the organization in joules or multiples. B. Report standards, methods, and assumptions adopted. w. Report the source of the used conversion factors.   EDM04
G4-EN5 a. Report the energy intensity ratio. b. Report the specific metric (index denominator) chosen by the organization to calculate this ratio. c. Report the types of energy included in the intensity ratio: fuel, electricity, heating, cooling, steam, or all. d. Report whether the rate uses the energy consumed within the organization, outside or both.   EDM04
G4-EN6 a. Report the amount of reductions in energy consumption achieved as a direct result of conservation and efficiency initiatives, in joules or multiples. b. Report the types of energy included in the reductions: fuel, electricity, heating, cooling, and steam. c. Report the basis for calculating reductions in energy consumption such as base year or baseline, and the rationale for choosing it. d. Report standards, methodologies, and assumptions used.   EDM04

Source: Prepared by the authors.

Regarding environmental aspects, the GRI proposes indicators necessary for one of the main functions of the principles related to Green IT and Green software: energy efficiency. Because the return on Green IT investments is long term, the indicators stipulated by the GRI for this analysis serve as a basis for the better management of IT resources, a premise of the COBIT model, providing mechanisms to justify such investments in a transparent and understandable manner.


For social aspects, COBIT relates to the GRI in subcategories that involve IT employees and professionals, addressing training, management structure, and the relationships within and outside the technology area, as shown in Table 5.

Table 5.:
GRI x COBIT Relationship - Social Aspects
SOCIAL ETHICS AND INTEGRITY G4-56 Describe the organization’s values, principles, standards and norms of behavior such as codes of conduct and codes of ethics. ME4
G4-57 Report the internal and external mechanisms for seeking advice on ethical and lawful behavior, and matters related to organizational integrity, such as helplines or advice lines. ME3, ME4 APO01, APO12, APO13, BAI10, DSS05
G4-58 Report the internal and external mechanisms for reporting concerns about unethical or unlawful behavior, and matters related to organizational integrity, such as escalation through line management, whistleblowing mechanisms or hotlines. ME4 MAE02, MAE03
SOCIAL TRAINING AND EDUCATION G4-LA9 (OECD) Report the average hours of training that the organization’s employees have undertaken during the reporting period, by i) gender; ii) employee category PO7, AI4, AI7, DS7 EMD02, EDM04, APO01, APO02, APO04, APO07, APO08, BAI05, BAI08,
G4-LA10 a. Report on the type and scope of programs implemented and assistance provided to upgrade employee skills. b. Report on the transition assistance programs provided to facilitate continued employability and the management of career endings resulting from retirement or termination of employment. PO7, AI4, AI7, DS7, ME3, ME4 EMD02, EDM04, APO01, APO02, APO04, APO07, APO08, BAI05, BAI08,
PRODUCT LIABILITY LABELING OF PRODUCTS AND SERVICES G4-PR3 b. Report the percentage of significant product or service categories covered by and assessed for compliance with such procedures. PO8, AI1 EDM01, EDM02, EDM05, APO02, APO08, APO09, APO10, APO11, BAI02, BAI03, BAI04, BAI06, DSS01, DSS02, DSS03, DSS04, DSS06, MEA01
G4-PR4 a. Report the total number of incidents of non-compliance with regulations and voluntary codes concerning product and service information and labeling, by: - Incidents of non-compliance with regulations resulting in a fine or penalty - Incidents of non-compliance with regulations resulting in a warning - Incidents of non-compliance with voluntary codes b. If the organization has not identified any non-compliance with regulations and voluntary codes, a brief statement of this fact is sufficient. PO8 DSS02, DSS03, DSS04, DSS06, MEA01
G4-PR5 a. Report the results or key conclusions of customer satisfaction surveys (based on statistically relevant sample sizes) conducted in the reporting period relating to information about: - The organization as a whole - A major product or service category - Significant locations of operation PO8 MEA01

Considering the social aspects of Sustainable IT, many findings arise. While it is difficult for IT to separate social aspects from the economic ( Faucheux & Nicolaï, 2011) the fact that the subcategories training and education present adherence, even if moderate, comes into line with Harmon and Auseklis (2009). This strategy relates to the importance of creating a sustainable organizational culture to make the employee more conscientious of issues, opportunities and actions to achieve desired results.


This article was dedicated to analyzing COBIT requirements and their relation to the sustainability indicators proposed by the GRI-G4 to identify the compatibility of these two widely used models. Despite its qualitative nature, evidence of strong relationships was identified for general categories that address governance, a moderate relationship with the social aspects, and a weak relationship with environmental and economic aspects.

Although relevant in the evaluation and monitoring of Sustainable IT, environmental and economic factors had poor adhesion in the studied sample. This is due, according to Siggins and Murphy (2009), to many executives and managers deeming it harder to quantify environmental values ​​compared to financial ones; however, this is the principle element of Sustainable IT, in addition to ratifying monitoring commitments in the company as a whole, which requires greater investments ( Siggins & Murphy, 2009).

Regarding product labelling, its adherence indicates the importance of minimum environmental impacts for IT services and products ( Harmon & Auseklis, 2009). Thus, the association of the quality of monitoring foreseen by COBIT with the indicators for the labelling of products provide a more accurate evaluation for achieving proposed goals.

By making use of the COBIT model, this study sought to present how aspects of corporate sustainability can be aligned with IT governance through indicators, with a view of the practices associated with the concepts of Sustainable IT, Green IT, and Green Software. In this context, a new study on the practical application of the proposed model is suggested, which should collaborate with the framework construction directed at Sustainable IT management in all its nuances and impact.

The findings area aligned with the principles advocated by Harmon and Auseklis (2009), who state that sustainable indicators do not directly reflect Sustainable IT; however, Sustainable IT strategies improve infrastructure and all business processes, directly influencing corporate social responsibility results.

The study has limitations related to the practical validation of the conclusions obtained from the research and analyses since it is documental analysis. For future studies, undertaking case studies examining the models’ application in companies that publish sustainability reports are recommended, which would make a real assessment of the integration of sustainability aspects in IT evaluation models. Another possible alternative is to conduct a survey research with the goal of studying the profile of IT companies and how they use and implement sustainability aspects in their management.


  1. (). . Mercado Brasileiro de Software - Panorama e Tendencias 2016.
  2. , , (). Developing Maturity Models for IT Management. Business & Information Systems Engineering 1(3), 213-222.
  3. , , (). Green Software Introduction. IEEE Software 31(3), 36-39.
  4. , (). Integrative framework for assessing firms’ potential to undertake Green IT initiatives via virtualization-A theoretical perspective. The Journal of Strategic Information Systems 20(1), 38-54.
  5. , (). Green IT adoption: a process management approach. International Journal of Accounting and Information Management 20(1), 63-77.
  6. (). . Brasil TI-BPO BOOK.
  7. , , (). The rise of the Global Reporting Initiative: a case of institutional entrepreneurship. Environmental Politics 18(2), 182-200.
  8. , , , , , (). Sustainability report: profile of Brazilian and foreign organizations according to the Global Reporting Initiative guidelines. Gestão & Produção 20(4), 913-926.
  9. (). . Investimentos em data centers crescem 40% com crise energética.
  10. , (). A Green Software Development Life Cycle for Cloud Computing. IT Professional 15(1), 28-34.
  11. , , (). From green to sustainability: Information Technology and an integrated sustainability framework. The Journal of Strategic Information Systems 20(1), 63-79.
  12. , (). IT Governance and Process Maturity: A Multinational Field Study. Journal of Information Systems 27(1), 157-188.
  13. , (). Tamed transparency: How information disclosure under the Global Reporting Initiative fails to empower. Global Environmental Politics 10(3), 74-96.
  14. , (). IT for green and green IT: A proposed typology of eco-innovation. Ecological Economics 70(11), 2020-2027.
  15. , (). Tecnologia da Informação: commodity ou ferramenta estratégica. Revista de Gestão Da Tecnologia E Sistemas de Informação 2(1), 69-79.
  16. , (). Sustainable IT services: Assessing the impact of green computing practices. Revista Brasileira de Pós-Graduação 5, 1707-1717.
  17. , , , .. 2010. 1-10.
  18. (). A natural-resource-based view of the firm. Academy of Management Review 20(4), 986-1014.
  19. (). Beyond greening: Strategies for a Sustainable World. Harvard Business Review 75(1), 66.
  20. , (). Creating sustainable value. Academy of Management Executive 17(2), 56-67.
  21. , (). Broad sustainability contra sustainability: the proper construction of sustainability indicators. Ecological Economics 50(3-4), 249-260.
  22. (). . . Illinois, USA: ITGT - IT Governance Institute. .
  23. (). . . Illinois, USA: ISACA- Information Systems Audit and Control Association. .
  24. , , (). Managing materiality: a preliminary examination of the adoption of the new GRI G4 guidelines on materiality within the business community. Journal of Public Affairs
  25. , , (). Using indicators to measure sustainability performance at a corporate and project level. Journal of Business Ethics 44(2-3), 149-158.
  26. , (). A percepção dos gestores operacionais sobre os impactos gerados nos processos de trabalho após a implementação das melhores práticas de governança de TI no TRE/SC. Revista de Administração Pública 48(4), 961-982.
  27. , (). . . .
  28. (). . . Atlas. .
  29. (). Sustainability indicators-integrating quality of life and environmental protection. Journal of the Royal Statistical Society: Series A (Statistics in Society) 161(3), 291-302.
  30. , , (). The Contested Politics of Corporate Governance: The Case of the Global Reporting Initiative. Business & Society 49(1), 88-115.
  31. , (). Controles de Governança de Tecnologia da Informação para a terceirização de processos de negócio: Uma proposta a partir do COBIT. JISTEM Journal of Information Systems and Technolog Management 8(1), 237-262.
  32. , , (). TI Verde: Uma análise dos principais benefícios e práticas utilizadas pelas organizações. Revista Eletrônica de Administração 20(1), 1-30.
  33. , , .. 1-10.
  34. , (). . . .
  35. , , , .. Chicago. Illinois. 3, 1836-1844.
  36. (). Organizational motivations for Green IT: Exploring Green IT matrix and motivation models. PACIS 2009 Proceedings 13
  37. , , .. 2009. 1-17. Proceedings. Paper 141
  38. (). Harnessing green IT: Principles and practices. IT Professional 10(1), 24-33.
  39. , , , (). The GREENSOFT Model: A reference model for green and sustainable software and its engineering. Sustainable Computing: Informatics and Systems 1(4), 294-304.
  40. (). . . Paris: Organisation for Economic Co-operation and Development. .
  41. , (). Green and competitive: ending the stalemate. Harvard Business Review 61
  42. , (). Green agile maturity model for global software. Sci.Int.(lahore) 26(5), 2041-2043.
  43. , (). . Putting Green IT to Work for Corporate Sustainability. Retrieved August 10, 2015, from (accessed )
  44. , (). An approach to sustainability for information systems. Journal of Systems and Information Technology 9(2), 167-176.
  45. (). . . Springer. .151-162.
  46. CMMI® for Development, Version 1.3 CMMI-DEV, V1.3. software
  47. (). The role of the global reporting initiative’s sustainability reporting guidelines in the social screening of investments. Journal of Business Ethics 43(3), 233-237.


Process COBIT 4.1 - Abbreviations and Meanings.
Processes - COBIT 4.1 Abbreviation Meaning
Plan and Organize PO1 Define a Strategic IT Plan
  PO2 Define the Information Architecture
  PO3 Determine Technological Direction
  PO4 Define the processes, organization, and Relationships of IT
  PO5 Manage IT Investment
  PO6 Report Guidelines and Board Expectations
  PO7 Manage IT Human Resources
  PO8 Manage Quality
  PO9 Assess and Manage IT Risks
  PO10 Manage Projects
Acquire and Implement AI1 Identify Automated Solutions
  AI2 Acquire and Maintain Application Software
  AI3 Acquire and Maintain Technology Infrastructure
  AI4 Enable Operation and Use
  AI5 Procure IT Resources
  AI6 Manage Change
  AI7 Install and Sanction Solutions and Changes
Deliver and Support DS1 Define and Manage Service Levels
  DS2 Manage Third Party Services
  DS3 Manage Capacity and Performance
  DS4 Ensure Service Continuity
  DS5 Ensure Safety Services
  DS6 Identify and Allocate Costs
  DS7 Educate and Train Users
  DS8 Manage the Service Desk and Incidents
  DS9 Manage Configuration
  DS10 Manage Issues
  DS11 Manage Data
  DS12 Manage the Physical Environment
  DS13 Manage Operations
Monitor and Evaluate ME1 Monitor and Evaluate Performance
  2SM Monitor and Evaluate Internal Control
  ME3 Ensure Compliance with External Services
  ME4 Provide IT Governance

Source: ITGI, 2007.

Processes COBIT 5.0 - Abbreviations and Meanings.
Processes - COBIT 5.0 Initials Meaning
Evaluate, Direct, and Monitor EDM01 Ensure Definition and Maintenance of the Governance Model
  EDM02 Ensuring Benefits Realization
  EDM03 Ensure Risk Optimization
  EDM04 Ensure Optimization of Resources
  EDM05 Ensure Transparency for Stakeholders
Align, Plan, and Organize APO01 Manage IT Management Structure
  APO02 Managing Strategy
  APO03 Manage Organization Architecture
  APO04 Managing Innovation
  APO05 Manage Portfolio
  APO06 Manage Budget and Costs
  APO07 Manage Human Resources
  APO08 Manage Relationships
  APO09 Manage Delivery of Service Contracts
  APO10 Manage Suppliers
  APO11 Manage Quality
  APO12 Manage Risks
  APO13 Manage Security
Build, Acquire, and Implement BAI01 Manage Programs and Projects
  BAI02 Manage Definition of Requirements
  BAI03 Manage Identification and Solution Development
  BAI04 Manage Availability and Capacity
  BAI05 Manage Organizational Change Capacity
  BAI06 Manage Change
  BAI07 Manage Acceptance and Transition of Change
  BAI08 Manage Knowledge
  BAI09 Manage Assets
  BAI10 Manage Configuration
Deliver, Service, and Support DSS01 Manage Operations
  DSS02 Manage Applications and Service Incidents
  DSS03 Manage Issues
  DSS04 Manage Continuity
  DSS05 Manage Security Services
  DSS06 Manage Business Process Controls
Monitor, Evaluate, and Analyze MEA01 Monitor, Evaluate, and Analyze Performance and Compliance
  MEA02 Monitor, Evaluate, and Analyze the Internal Control System
  MEA03 Monitor, Evaluate, and Analyze Compliance with External Requirements

Source: ITGI, 2012.