JURNAL ILMIAH KOMPUTERISASI AKUNTANSI.
Vol.
No.
2 ,Desember 2024, pp.
p-ISSN : 1979-116X .
e-ISSN : 2621-6248 .
DOI: 10.
51903/kompak.
http://journal.
id/index.
php/kompak Digital Transformation of BPRACo by Designing IT Governance with COBIT 2019 SME Focus Area Agung Rizaldi 1.
Rahmat Mulyana2.
Luthfi Ramadani3 Information Systems.
School of Industrial Engineering.
Telkom University agungrizaldi@student.
Department of Computer and Systems Sciences.
Stockholm University rahmat@dsv.
Information Systems.
School of Industrial Engineering.
Telkom University luthfi@telkomuniversity.
ARTICLE INFO
Article history:
Received 26 September 2024 Received in revised form 18 Oktober 2024 Accepted 15 November 2024 Available online 1 Desember 2024 ABSTRACT.
Digital transformation (DT) is a necessity for incumbent companies today, including MSMEs, to be able to continue to compete in the era of technological disruption and accelerated by the COVID-19 pandemic.
This research aims to design IT governance (ITG) for BPRACo MSMEs using the COBIT 2019 SME focus area framework.
The research method used is design science research (DSR) which creates artifacts in the form of ITG solution development methods and systems.
The research results revealed that the highest GMO priorities selected were APO10 Managed Vendors.
MEA03 Managed Compliance with External Requirements, and APO12 Managed Risk.
From the analysis of the selected GMOs, there are gaps and recommendations for improvement in the seven components which are then mapped into three aspects, namely people, process and technology The results of the research analysis show that the ambidextrous IT governance approach has succeeded in increasing the level of capability in several main components of BPRACo MSMEs in adopting DT.
The right ITG strategy can help BPRACo MSMEs operating in the banking industry achieve a successful DT journey.
Keywords Digital Transformation.
Design Science Research.
IT Governance.
COBIT 2019 SME
Focus Area.
Bank.
BPRACo.
COBIT 2019 SME Focus Area.
Digital Transformation.
IT Governance.
Introduction Digital transformation (DT) is essential for every company today to avoid falling behind due to technological disruption, which has been accelerated by the COVID-19 pandemic (Pahrevi et al.
, 2.
The technologies from DT that can be implemented by companies to increase efficiency and competitiveness include mobile applications, websites, digital customer service, cloud computing, and artificial intelligence as enablers (Bloomberg, 2018.
Nirmala & Lavianto, 2.
DT is a crucial factor for Received September 26, 2024.
Revised Okt 18, 2024.
Accepted November 15, 2024 p-ISSN : 1979-116X e-ISSN : 2621- 6248 maintaining stability and increasing a company's stock value, moreover, digital transformation can also enhance customer satisfaction in the financial industry in Indonesia (Gurbaxani & Dunkle, 2019.
Mulyana et al.
, 2024.
Many companies have invested in DT but have not achieved the expected results and tend to fail due to poor IT governance (ITG) (Obwegeser et al.
, 2.
Governance structure, business processes, and relational mechanisms are important stakeholders in the effective implementation of DT (Mulyana et , 2.
In previous research, 46 ITG mechanisms have been identified as positively impacting DT in the financial industry in Indonesia, specifically at Bank Rakyat Indonesia.
These 46 mechanisms consist of 20 governance structures, 21 business processes, and 5 relational mechanisms (Mulyana et al.
, 2.
A framework is an appropriate solution to help companies begin their DT journey.
COBIT 2019 is a framework that can assist in starting the DT journey from an ITG perspective by leveraging IT and business alignment within a company (Lompoliu et al.
, 2.
Therefore.
COBIT 2019 is crucial for DT, especially in the financial industry.
However.
COBIT 2019 is considered well-suited for large companies but not for small to medium-sized enterprises (SME.
due to the complexity of its implementation (Volders.
Nonetheless.
COBIT 2019 is not entirely irrelevant for SMEs but requires a simplified method to make it more flexible for smaller companies (Kyller et al.
, 2.
As a result.
ISACA has released the COBIT 2019 Small and Medium Enterprise Focus Area book, which has been simplified to a more specific context and is relevant to the situation of SMEs (ISACA, 2.
BPRACo, as a micro, small, and medium enterprise (MSME) in the financial industry, or also known as a microfinance institution (LKM) (Otoritas Jasa Keuangan, 2.
, needs to adopt ambidextrous IT governance mechanisms to optimize the implementation of limited resources and IT management strategies to enhance company performance through DT, this hybrid IT governance mechanisms combine traditional ITG with agile-adaptive ITG (Mulyana et al.
, 2.
Additionally.
BPRACo must comply with the regulations stated in the Otoritas Jasa Keuangan Regulation Number 75/POJK.
03/2016 concerning IT standards for Rural Banks (BPR) and Rural Sharia Banks (BPRS) (Otoritas Jasa Keuangan, 2.
The advancement of IT brings not only positive impacts but also negative ones, requiring companies to continually innovate and implement digital transformation with limited resources (Mulyana et al.
, 2.
Therefore, implementing DT at BPRACo as an MSME with good ITG is necessary, guided by the COBIT 2019 Small and Medium Enterprise Focus Area book (ISACA, 2.
This study is different with previous research in large bank that designed ITG using COBIT 2019 Governance and Management Objectives focused on Align.
Plan, and.
Organize (APO) domain in general (Permana et al.
, 2.
Moreover, prior studies used COBIT 2019 Focus Areas such as Information Security.
I&T Risk Management.
DevOps in the fintech sector (Prayudi et al.
, 2023.
Satriadi et al.
, 2.
, insurance sector (Andyas et al.
, 2023.
Viamianni et al.
, 2.
, and large-scale banks (Dewi et al.
, 2023.
Rahmadana et al.
, 2023.
Tarbiyatuzzahrah et al.
, 2.
, which do not fall under the MSME category and not implemented COBIT 2019 SME Focus Area framework.
DT is a fundamental change process that adopts disruptive technology to increase value, with one such value being related to ITG (Ebert & Duarte, 2018.
Gong & Ribiere, 2021.
Gurbaxani & Dunkle, 2.
Haes et al.
, .
states that ITG itself is an integral part of corporate governance, involving the implementation of structures, processes, and relational mechanisms.
An agile strategy in ITG can lead to the success of DT, as this strategy is adopted to avoid DT failures due to poor ITG (Obwegeser et al.
, 2020.
Vejseli et al.
, 2.
In another previous research at Bank Rakyat Indonesia which is large-scale banks, hybrid IT governance mechanisms using agile-adaptive ITG strategies and traditional ITG strategies were found to guide corporate ITG to optimize resources and IT management strategies to enhance performance through DT (Mulyana et al.
, 2024.
This research uses the COBIT 2019 SME Focus Area framework to formulate several questions:
How is ITG based on the results of a gap analysis assessment in the scope of the design factor priority COBIT 2019 SME focus area for MSME DT? How do the seven components of the COBIT 2019 SME focus area impact MSME DT? How does the estimated increase in ITG capability based on the COBIT 2019 SME focus area influence digital transformation in MSMEs? Does the influence of ITG improvement design assist the DT journey in the MSME scope? Research Methods In this study, the method used is the design science research (DSR) framework.
DSR is a method for creating artifacts in the form of models, methods, and systems to support the JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 development and management of ITG solutions.
(A.
Hevner & Chatterjee, 2010.
Hevner et al.
Johannesson & Perjons, 2.
The conceptual method used can be seen in the Figure 1.
Figure 1.
Research Methods, adapted from (A.
Hevner et al.
, 2.
Figure 1 shows an illustration of the DSR research method.
The DSR research method is divided into three sections: environment, research, and knowledge base.
Figure 2.
Research Process Figure 2 explains the research process in this study.
The research process is divided into five stages: problem explanation, requirement determination, design and development, demonstration, and evaluation.
In the problem explanation stage, there are four steps: identifying the problem, defining the research problem, setting research objectives, and determining the research In the requirement determination stage, there are six steps: creating a list of questions, conducting semi-structured interviews to collect various data at BPRACo that can be found at with credible person and four sessions as written in Table 2 using iterative approach and document triangulation to achieve data saturation (Fusch Ph D & Ness, 2.
, prioritizing IT governance and technology (ITG) objectives based on the prioritization mechanism, analyzing the seven components' capabilities, analyzing the capability gaps of the seven components, and analyzing potential improvement recommendations.
In the design and development stage, there are three steps: drafting potential improvement recommendations, drafting recommendations for the people, process, and technology aspects, and drafting improvement prioritization based on resources, risk, and value.
In the demonstration stage, there are two steps: developing an implementation roadmap and analyzing the impact of implementation on the design of the seven components' capability recommendations for ITG.
In the JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 evaluation stage, there are four steps: testing credibility, transferability, dependability, and confirmability (Shenton, 2.
1 Data Collection Data for this research was collected using two methods: semi-structured interviews with key informants at BPRACo to gather primary data, and document triangulation to collect internal and external company documents as secondary data.
The specific data that needed for this research can be found at Table 1.
Table 1.
Data Requirements Data Type Data Name Primary Data Internal Situation Data of BPRACo Secondary Data BPRACo Profile BPRACo Organizational Structures BPRACo Annual Report Strategic plan document of BPRACo Regulatory Documents Related to IT Governance at BPRACo Collected data was gathered through four sessions of offline and online interviews conducted between March 2024 and June 2024 with four respondents.
Detailed methods can be found in Table 2.
Table 2.
Collection Data Details Date Sessions Respondents 14 March 2024 Offline Operational Director Manager of IT.
Research, and Business Development 15 March 2024 Offline HR Manager 26 April 2024 Online IT Staff 20 June 2024 Online According to the collected data, it can be concluded that BPRACo are doing development and alignment on their general organization because of merger and migration.
BPRACo needs guideline to align their current policy and procedure regarding IT and Business alignment.
2 Data Analysis The collected data is then analyzed using COBIT design factors, the prioritization of IT governance and management (ITGM) objectives for COBIT 2019 Small and Medium Enterprises (SME) focus areas.
IT governance process mechanisms, and applicable regulations.
These factors are used to measure the toppriority ITG objectives, which are then analyzed using the seven components of COBIT 2019 SME focus areas: process components, organizational structure components, information components, people, skills, and competencies components, principles, policies, and procedures components, culture, ethics, and behavior components, and services, infrastructure, and applications components.
3 Evaluation The results of this research will be evaluated based on credibility testing, transferability testing, dependability testing, and confirmability testing.
(Shenton, 2.
Research Results Table 3 presents the prioritization results from several assessment mechanisms, including design factors (DF).
COBIT 2019 SME Focus Area for SMEs, applicable regulations, references from papers on IT Governance Mechanisms, and the total obtained from these four assessments.
Table 3.
Results of Prioritization Mechanism Analysis GMO
SME Focus Area
APO10
MEA03
APO12
Regulation ITG Mechanism Total From the prioritization results in Table 3, there are three prioritized Governance & Management Objectives (GMO): APO10 Managed Vendors.
MEA03 Managed Compliance with External Requirements, and APO12 Managed Risk.
These three prioritized GMOs are used to analyze IT governance at BPRACo.
JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 1 Results of Gap Analysis for Process Components Table 4 displays the results of the assessment of process component practices for the GMOs in the research subject, along with the achieved capability levels.
Table 4.
Results of Gap Analysis for Process Components GMO Practices Assessment Capability Levels APO10 Managed Vendors APO10.
100% Fully 100% Fully 50% Partially APO10.
50% Partially 100% Fully APO10.
100% Fully 100% Fully 100% Fully APO10.
50% Partially 25% Partially APO10.
100% Fully 100% Fully 100% Fully 50% Partially Total Capability Level Achieved by APO10 Average APO10 Capability Score MEA03 Managed Compliance with External Requirements MEA03.
100% Fully 100% Fully MEA03.
100% Fully MEA03.
100% Fully 0% Not Achieved 0% Not Achieved MEA03.
100% Fully 100% Fully Total Capability Level Achieved by MEA03
Average MEA03 Capability Score
3,25
APO10 Managed Risk APO12.
100% Fully 100% Fully 50% Partially APO12.
100% Fully 100% Fully 100% Fully APO12.
100% Fully 100% Fully 75% Largerly APO12.
100% Fully 100% Fully APO12.
100% Fully 100% Fully APO12.
100% Fully 100% Fully 100% Fully Total Capability Level Achieved by APO12 Average APO12 Capability Score Legend: Gaps in GMO Practices JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 Table 4 shows that the average capability scores are 3.
2 for APO10, 3.
25 for MEA03, and 3.
8 for APO12.
The processes are derived from the COBIT 2019 Focus Area for SMEs.
The results indicate gaps in the practices for GMO APO10.
APO10.
APO10.
MEA03.
APO12.
01, and APO12.
2 Results of Gap Analysis for Organizational Structures Components Table 5 explains the recommended organizational structure from the COBIT 2019 SME Focus Area and the related GMOs that suggest this organizational structure, along with the current organizational structure of BPRACo.
Table 5.
Gap Analysis for Organizational Structures Component Organizational Structure GMO Organizational Structures of BPRACo of COBIT 2019 SME General Manager MEA03 Chief Executive Officer Financial MEA0 There is currently Manager no role for a Finance Manager Operations Manager MEA03 Operations Manager Business Process Owners MEA03.
APO12
Business Process Owners Head of IT APO10.
MEA03.
IT Manager.
Research, and Business APO12 Development Security Expert APO12 There is currently no role for a Security Expert IT Development APO10.
MEA03.
IT Manager.
Research, and Business Coordinator APO12 Development IT Operations Coordinator APO10.
MEA03.
IT Manager.
Research, and Business APO12
Development Privacy Officer
APO10 There is currently no role for a MEA0
Privacy Officer
APO12
Legal Department APO10.
MEA03
Executive Officer.
Corporate Secretary and Corporate Legal Compliance or Quality APO10.
MEA03
Executive Officer for Compliance.
MR, and APU PPT
Audit
MEA03
Executive Officer for Internal Audit Legend: Gaps in Organizational Structures The results from Table 5 show gaps in the positions of Financial Manager.
Security Expert, and Privacy Officer.
BPRACo does not currently have these recommended roles in place.
3 Results of Gap Analysis for Information Components Table 6 explain details about the information components for each GMO practice, including the recommended information outputs and the current state at BPRACo.
Table 6.
Gap Analysis for Information Component GMO Information Output Current State Practices APO10 Managed Vendors APO10.
Vendor catalog Vendor Management Policy Potential revisions to vendor contracts Vendor Management Policy Vendor significance and evaluation criteria Service Level Monitoring Policy APO10.
Vendor RFIs and RFPs Vendor Selection SOP JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365
p-ISSN : 1979-116X e-ISSN : 2621- 6248
GMO
Practices Information Output Current State RFI and RFP APO10.
APO10.
APO10.
MEA03.
MEA03.
MEA03.
MEA03.
APO12.
APO12.
APO12.
APO12.
APO12.
APO12.
No RFI and RFP Evaluation Documents Available Decision results of vendor evaluations Vendor Selection SOP Results and suggested improvements Change Request SOP Vendor roles and responsibilities Vendor Management Policy Identified No Vendor Risk vendor delivery Identification Conducted Identified contract requirements to Service Level Agreement (SLA) SOP minimize risk Vendor compliance monitoring criteria Service Level Agreement (SLA) SOP Vendor compliance monitoring review Service Level Agreement (SLA) SOP MEA03 Managed Compliance with External Requirements Log of required compliance actions Internal Audit Policy Compliance requirements register Internal Audit Policy.
Issue Handling Policy, and Incident Handling Policy, along with Daily Log Activity Communication of changed compliance Change Log Document Updated I&T policies and procedures Change Management Policy Compliance confirmations Internal Audit Policy Identified Compliance compliance gaps Gap Mapping Not Yet Conducted No Output APO12 Managed Risk Identified risk issues and factors Risk Management Policy Data on risk events and contributing Risk Management Policy and Risk Profile Risk analysis results Risk Management Policy and Risk Profile Documented risk profile, including status Risk Management Policy and Risk of risk managements actions Profile Risk analysis and risk profile reports for Risk Management Policy Results of third- No Third-Party party risk Risk Analysis Assessment Available Project proposals for reducing risk Risk Management Policy Risk impact communication Risk Management Policy Risk-related root causes Risk Management Policy and Issue Handling Policy Legend: Gaps in GMO Practices Table 6 explains that BPRACo still has gaps in the information components for GMO practices APO10.
APO10.
MEA03.
03, and APO10.
JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 4 Results of Gap Analysis for People.
Skills, and Competencies Components Table 7 details the recommended skills for each GMO APO10.
MEA03, and APO12, along with the current condition at BPRACo.
Table 7.
Gap Analysis for People.
Skills, and Competencies Component Skills Current State APO10 Managed Vendors Contract Management BPRACo already has someone who can manage contracts.
Purchasing BPRACo has someone responsible for purchasing from external Sourcing There is currently no expert in sourcing.
MEA03 Managed Compliance with External Requirements Information Security There is a team established to ensure information security.
APO10 Managed Risk Business Risk Management BPRACo already has a team with skills to manage business risks.
Information Assurance BPRACo already has an individual with skills related to Information Assurance.
Risk Management BPRACo has a SMKI team with skills in managing risks.
Legend: Gaps in Skills Table 7 shows that BPRACo still has a gap in sourcing skills within the people, skills, and competencies component recommended by GMO APO10.
5 Results of Gap Analysis for Principles.
Policies, and Procedures Components Table 8 explains the relevant policies for each selected GMO.
Table 8.
Gap Analysis for Principles.
Policies, and Procedures Component Relevant Policies Current State APO10 Managed Vendors Third-Party IT Service Delivery Vendor Management Policy.
Service Level Monitoring Policy.
Management Policy Vendor NDA Appendix MEA03 Managed Compliance with External Requirements Compliance Policy Internal Audit Policy and Employee KPIs APO12 Managed Risk There are no specific principles, policies, and procedures for small and medium-sized enterprises for this management objective.
Table 8 presents the results of the gap analysis for the principles, policies, and procedures components, showing that BPRACo does not have gaps in GMO APO10.
MEA03, and APO12.
6 Result of Gap Analysis for Cultures.
Ethics, and Behavior Component Table 9 displays the culture, ethics, and behavior components of the selected GMO practices, as well as the cultural recommendations that should be implemented at BPRACo.
Table 9.
Gap Analysis for Cultures.
Ethics, and Behavior Component Key Cultural Elements Current State APO10 Managed Vendors Building and managing a vendor ecosystem that can BPRACo has not yet continuously scanned for assist the organization in its digital transformation new partners while still maintaining contracts and innovation.
Continuously scanning the landscape with existing vendors.
for effective new partners.
MEA03 Managed Compliance with External Requirements Promoting a culture of compliance awareness.
BPRACo maintains a compliance culture including zero tolerance for non-compliance with legal with legal requirements due to its operations and regulatory requirements.
in the financial sector.
JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 APO12 Managed Risk To support a transparent and participative risk culture.
Currently.
BPRACo has implemented a senior management must set the direction and communication culture with governance demonstrate visible and genuine support for integrating related to risk management.
risk practices across the organization.
Management should encourage open communication and business ownership of risks related to IT and technology.
Legend: Gaps in Key Cultural Elements Table 9 shows that BPRACo still has a gap in the recommended culture for practice APO10, specifically in continuously scanning the landscape for more effective vendors.
7 Result of Gap Analysis for Services.
Infrastructures, and Applications Component Table 10 displays the recommended service, infrastructure, and application components for each GMO to support various business services.
Table 10.
Gap Analysis for Services.
Infrastructures, and Applications Component Services.
Infrastructures, and Current State Applications APO10 Managed Vendors Contract Management System BPRACo does not yet have an application for managing contract systems.
Third-party Assurance Services BPRACo is already using third-party services.
MEA03 Managed Compliance with External Requirements Regulatory Watch Services BPRACo does not yet use regulatory monitoring tools.
Third-party Compliance Assessment BPRACo uses external services to test its compliance.
Services APO12 Managed Risk Crisis Management Services BPRACo has the DUDE application, which helps handle crises with reliable data recovery.
Governance.
Risk and Compliance BPRACo has the DUDE application, which can assist with (GRC) tools data governance.
Risk Analysis Tools BPRACo does not yet have an application related to risk Risk Intelligence Services BPRACo does not have services related to risk intelligence Legend: Gaps in Services Table 10 explains that BPRACo currently still has gaps in contract management system services, regulatory watch services, risk analysis tools, and risk intelligence services.
8 Potential Improvement This section contains improvement recommendations for each identified gap.
The improvement recommendations are divided into three aspects: people, process, and technology.
Table 11.
People Aspect Potential Improvement Components Type Potential Improvement APO10 Managed Vendors Organizational Responsibility Adding responsibilities as a Data Protection Officer Structure People.
Skills, and Skill & Awareness Conducting staff training and awareness related to Competencies Culture.
Ethics, and Responsibility Increasing responsibilities for regularly finding Behavior MEA03 Managed Compliance with External Requirements JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 Organizational Structure Roles.
Responsibility Adding a new role as Financial Manager APO12 Managed Risk Organizational Skill & Awareness Conducting training and obtaining professional Structure certification in the field of network security Table 11 outlines the improvement recommendations for gaps in the people aspect, which includes organizational structure, people, skills and competencies, and culture, ethics, and behavior components.
Table 12.
Process Aspect Potential Improvement Components Type Potential Improvement APO10 Managed Vendors Process Procedures Adding procedures for requesting RFI and RFP documents, vendor risk mitigation for contracted vendors, and periodic vendor performance evaluation procedures Information Record Creating documents for vendor evaluation results obtained from vendor RFI and RFP documents Information Record Adding documents for identifying risks posed by vendors MEA03 Managed Compliance with External Requirements Process Procedures Adding procedures for handling compliance that BPRACo has not yet Information Record Adding additional documents related to the gaps experienced by BPRACo in relation to regulations APO12 Managed Risk Process Procedures Adding procedures for risk handling scenarios and their impact on business activities Process Procedures Adding indicators for risks that can be quickly identified Information Record Adding documentation for reports to evaluate the results of risk assessments for third parties collaborating with BPRACo Table 12 presents explanations for improvement recommendations addressing gaps in the process aspect, which includes process components and information components.
However.
Table 12 only displays the process and information components, as the principles, policies, and procedures components currently do not have any gaps at BPRACo.
Table 13.
Technology Aspect Potential Improvement Components Type Potential Improvement APO10 Managed Vendors Services.
Infrastructures.
Tools Determining tools that can help BPRACo manage its and Applications contract system MEA03 Managed Compliance with External Requirements Services.
Infrastructures.
Tools Determining tools or services to monitor the latest and Applications regulations issued by regulators APO12 Managed Risk Services.
Infrastructures.
Tools Determining applications that can help BPRACo analyze and Applications potential risks within the company Services.
Infrastructures.
Features Determining services or features that can help BPRACo and Applications collect risk data, perform risk analysis, generate reports, and provide risk mitigation recommendations.
Table 13 explains the improvement recommendations for the technology aspect based on gap analysis.
In the technology aspect, there is only one component: the service, infrastructure, and application 9 Potential Improvement Roadmap Based on Resource.
Risk, and Value (RRV) Analysis Table 14 outlines the results of the resource, risk, and value (RRV) analysis for all potential improvements across each aspect.
Based on the RRV analysis, an implementation priority for JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 improvements at BPRACo is established.
The RRV analysis is divided into three categories based on the scores obtained: high, medium, and low.
The higher the score, the higher the priority for implementing the Table 14.
Potential Improvement Priority Potential Improvement People Aspect Conduct training and raise staff awareness regarding sourcing knowledge and Add a new role and responsibility that operates independently to manage the company's finances.
Increase the responsibility of the IT team to regularly search for vendors and scan for new partners.
Add the responsibility of a Data Protection Officer at BPRACo to protect the privacy of information from external parties.
Conduct training and obtain professional certifications in network and data security that can be implemented within the company.
Process Aspect Add procedures for requesting RFI and RFP documents, vendor risk mitigation procedures, and points for periodic vendor performance evaluations.
Add procedures for risk handling scenarios and their impact on business Implement a policy to evaluate the results of risk assessments for third parties collaborating with BPRACo.
Create documentation for vendor evaluation results obtained from RFI and RFP Add supplementary information regarding gaps BPRACo experiences with Add risk indicators that can be quickly identified.
Develop a report documenting the results of vendor evaluations, to be consistently performed.
Add procedures for addressing compliance issues that BPRACo has not yet met.
Technology Aspect Identify applications that can assist BPRACo in analyzing potential risks to the Determine tools that can help BPRACo manage contract systems with partnering Identify tools or services for monitoring the latest regulations issued by Identify services or features that can help BPRACo collect risk data, perform risk analysis, generate reports, and provide recommendations for risk mitigation.
Score Priority 10 Recommendations At this stage, recommendations from the gap analysis results are mapped out, divided into three aspects from the seven components.
The first aspect are people, which includes organizational structure, personnel, skills and competencies, and culture, ethics, and behavior.
The second aspect is process, which includes processes, information, and principles, policies, and procedures.
The last aspect is technology, which includes services, infrastructure, and applications.
1 People Aspect Recommendations Recommendations for the people aspect include adding roles and responsibilities as well as training and certification related to skills with gaps.
Recommendations include adding a Financial Manager role, who would be responsible for maintaining financial records in compliance with audit requirements, assisting in financial planning and budgeting, collecting financial analyses, advising on financial planning, monitoring expenditures, and suggesting effective budget usage.
Additionally, the role of Data Protection Officer is recommended to address data protection and privacy concerns, and this responsibility will be JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 added to the existing role of IT Manager.
Research, and Business Development.
Further, it is suggested to include ongoing responsibilities for searching for new vendors within the IT Manager.
Research, and Business Development role.
Training and certification recommendations include Strategic Negotiation Skills training and Supplier Relationship Management (SRM) certification to enhance sourcing skills, as well as ISO/IEC 27001 certification to improve network and data security skills.
2 Process Aspect Recommendations Recommendations for the process aspect involve adding standard operating procedures (SOP.
and additional reporting documents.
The SOP additions include SOPs for Vendor Selection.
Compliance Handling.
Risk Handling, and Risk Trend Identification.
The Vendor Selection SOP covers the process for requesting vendor RFI and RFP documents and periodically evaluating vendor performance.
The Compliance Handling SOP outlines the steps to address compliance actions that BPRACo has not yet met with regulators.
The Risk Handling SOP details standards for risk scenarios and identifying the impact of risks on business processes.
The Risk Trend Identification SOP includes standards for grouping risks and identifying risks based on industry trends.
These SOP additions are based on the identified gaps in the process component.
Additionally, for the information component, there will be new reporting documents: Vendor RFI/RFP Evaluation Document.
Vendor Risk Evaluation Results Document, and Compliance Action Plan Document.
The Vendor RFI/RFP Evaluation Document includes evaluation methodology, vendor review based on RFI/RFP documents, evaluation criteria, analysis, results, and recommendations.
The Vendor Risk Evaluation Results Document contains risk identification methods, risk categorization, risk assessment and mitigation procedures, documentation and reporting, and recommendations.
The Compliance Action Plan Document outlines binding regulations for BPRACo, the results of regulatory gap analysis, causes of gaps, action plans, and monitoring and evaluation of gaps.
3 Technology Aspect Recommendations Recommendations for the technology aspect involve adopting tools and features.
The adoption of tools includes Concord.
Compliance.
ai, and RiskWatch.
The adoption of features requires the RiskWatch application, which provides functionalities for risk data collection, risk analysis, reporting, and mitigation recommendations.
The Concord tool will be adopted to assist BPRACo in managing its contract management system (CMS).
Compliance.
ai will be implemented to help BPRACo monitor regulatory changes in the banking industry and will be used as a governance, risk, and compliance (GRC) tool.
The adoption of RiskWatch tools and features will support risk analysis, reporting, and risk mitigation actions and will be used for enterprise risk management (ERM).
4 Implementation Roadmap The implementation roadmap for improvements is divided into several periods or quarters (Q): the first quarter (Q.
from January to March, the second quarter (Q.
from April to June, the third quarter (Q.
from July to September, and the fourth quarter (Q.
from October to December.
The earliest implementation schedule is organized based on the RRV analysis priorities, as shown in Table 15 Table 15.
Recommendations of Potential Improvement Implementation Roadmaps Recommendations Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 People Aspect Conduct staff training on sourcing knowledge and skills Adding a role and responsibilities as a financial manager Increase the responsibilities of the IT team to regularly find vendors for new partner scanning Adding the responsibility of a data protection officer at BPRACo Provide training and certification in the field of network and data security.
Process Aspect Adding procedures related to vendor selection Adding procedures for handling risks Adding reports on vendor risk evaluations JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 Recommendations Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Create documents for RFI/RFP vendor evaluations Create additional notes on regulatory gaps experienced by BPRACo Adding risk indicators that can be quickly identified with risk trends Consistently create evaluation reports Adding procedures for addressing regulatory gaps Technology Aspect Adopt an application that can analyze risks Adopt a contract management system application Adopt tools or services to monitor the latest regulations Adopt application features for collecting risk data, risk analysis, reporting, and risk mitigation recommendations Table 15 outlines the planned implementation roadmap for improvements from the first quarter (Q.
of 2025 to the fourth quarter (Q.
For the people aspect, implementation planning starts in the third quarter (Q.
of 2025 and ends in the third quarter (Q.
For the process aspect, recommendations for implementation begin in the first quarter (Q.
of 2025 and continue through the fourth quarter (Q.
Finally, for the technology aspect, the improvement plan implementation starts in the fourth quarter (Q.
of 2025 and concludes in the third quarter (Q.
5 Implementation Plan Impact Table 16 shows the impact of the implementation plan before and after the improvements.
The impact is divided into seven components.
however, the impact does not cover the components of principles, policies, and procedures as no gaps were found in these components.
Table 16.
Impact of Implementation Design Before Implementation After Implementation Process Component APO10 Managed Vendors APO10 Managed Vendors Average capability level 3,1 Average capability level 4,2 MEA03 Managed Compliance with External MEA03 Managed Compliance with External Requirements Requirements Average capability level 3,25 Average capability level 3,5 APO12 Managed Risk APO12 Managed Risk Average capability level 3,8 Average capability level 4,17 Organizational Structures Component There is no Financial Manager yet Finance Manager There is no Security Expert position yet IT.
Research, and Business Development Manager.
There is no one fully responsible as a Privacy IT.
Research, and Business Development Manager.
Officer yet Information Component No RFI and RFP evaluation documents available.
RFI and RFP Evaluation Documents No vendor risk identification documents Vendor Risk Identification Documents Compliance gaps have not been mapped.
Compliance Gap Documents Detailed risk analysis for third parties has not Risk Evaluation Report for Third Parties been conducted.
People.
Skills, and Competencies Component No expert in sourcing Training in negotiation skills for managers.
Strategic Negotiation Skills training.
Certified Professional in Supply Management (CPSM).
Supplier Relationship Management (SRM).
Cultures.
Ethicts, and Behavior Component Has not continuously scanned for new partners.
A culture of identifying, evaluating, and selecting vendors regularly to find competitive contenders.
JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 Before Implementation After Implementation Services.
Infrastructures, and Applications Component Currently lacks a contract management system Concord helps manage contract systems or contract management systems (CMS).
Has not yet used tools providing regulatory Compliance.
ai serves as governance, risk, and monitoring services compliance (GRC) tools Lacks applications related to risk analysis RiskWatch functions as tools and services for risk Does not have services related to risk intelligence management or enterprise risk management (ERM).
Table 16 explains how the improvement plan can affect the seven components.
For the process component.
GMO APO10 shows an increase in average capability score from 3.
1 to 4.
GMO MEA03
shows an increase from 3.
25 to 3.
5, and GMO APO12 shows an increase from 3.
8 to 4.
In the organizational structure component, a new role.
Financial Manager, has been added, along with additional responsibilities for the Manager of IT.
Research, and Business Development.
In the information component, several evaluation documents have been added.
For the people, skills, and competencies component, training and certifications have been recommended to improve sourcing capabilities.
In the culture, ethics, and behavior component, a new culture has been introduced that supports ongoing vendor scanning to find more competitive vendors.
In the services, infrastructure, and applications component, various tools and features have been introduced to help BPRACo manage its contract management system.
GRC tools, and enterprise risk management.
Research Discussions This study confirms that an effective ambidextrous IT governance mechanism is crucial for small and medium enterprises (SME.
like BPR.
The findings align with previous research conducted on large banks with different framework like COBIT 2019 Information Security.
COBIT 2019 I&T Risk.
COBIT 2019 GMO focused on APO and DSS domain, which emphasizes the critical role of IT governance for achieving successful technology development.
IT governance ensures that technology investments align with business goals, thereby enhancing BPRACo's ability to remain competitive in the rapidly evolving technology BPRACo faces challenges in implementing a hybrid IT governance approach due to resource and financial constraints.
However, with the right strategy, combining traditional IT governance with agileadaptive IT governance.
BPRACo can improve efficiency and support a successful technology development journey.
This research adds to the existing knowledge on how hybrid IT governance approaches can be adapted and applied to companies with limited resources or SMEs, and also demonstrates that the flexibility of IT governance implementation can be tailored to different environments and scales of In the others hands for practical implication, with appropriate implementation BPRACo would increase their average capability that can help them with their DT journey.
Conclusion This research has limitations, which are the research framework used is COBIT 2019 SME Focus Area that focused on IT management for DT and the research object is still SMEs so that implementation result is influenced by budget, culture, and company characteristics.
This research shows that the effective implementation of IT governance (TKTI) is crucial for the success of technology development (TD), especially for companies still categorized as SMEs like BPRACo.
The ambidextrous IT governance approach, combining traditional and agile-adaptive IT governance, has allowed BPRACo to enhance efficiency and adapt to the dynamic technology environment.
This success is evidenced by the increased capability scores in the process components of priority GMOs: APO10 rising 1 to 4.
MEA03 from 3.
25 to 3.
5, and APO12 from 3.
8 to 4.
Not only the process components, but all seven components were adjusted according to the COBIT 2019 SME focus area guidelines to guide a successful TD journey.
Adjustments included adding roles and responsibilities in the organizational structure, new documents in the information component, training and certification recommendations in the people, skills, and competencies component, new culture developments in the culture, ethics, and behavior component, and new tools and features in the services, infrastructure, and applications component.
These adjustments support BPRACoAos success in TD by ensuring technology investments align with business goals, enhancing competitiveness, and ensuring compliance with regulations.
Also, there is a recommendation for practitioners, the researcher hopes this study can serve as a reference in applying the COBIT 2019 SME focus area framework in designing digital transformation for JURNAL ILMIAH KOMPUTERISASI AKUNTANSI Vol.
No.
Desember 2024: 349Ae365 p-ISSN : 1979-116X e-ISSN : 2621- 6248 companies classified as SMEs.
The researcher also hopes this study can be a guide for practitioners in crafting improvement recommendations for companies.
For BPRACo, the researcher hopes this study can be used as a reference for reviewing the current state of IT governance in the company.
The recommendations provided by the researcher should be considered for implementation to assist BPRACo in achieving a successful digital transformation journey.
REFERENCES