JDBIM
(Journal of Digital Business and Innovation Managemen.
Volume 4 No.
December 2025, 302-316 ISSN 2962-3898 (Onlin.
DOI: 10.
26740/jdbim.
https://ejournal.
id/index.
php/jdbmi/i Development of Audit Instruments and Maturity Assessment of Academic Information Systems Using COBIT 2019 (A Case Study at XYZ Universit.
Putri Amaliyah 1*.
Renny Sari Dewi1.
Rindu Puspita Wibawa2.
Ainur Rofik3 1Department of Digital Business.
Faculty of Economics and Business.
Universitas Negeri Surabaya.
Jalan Ketintang.
Surabaya 60231.
Indonesia 2Directorate of Cooperation.
Information Technology, and Data Center.
Universitas Negeri Surabaya.
Jalan Lidah Wetan.
Surabaya 60213.
Indonesia 3Directorate of Digital Learning Innovation.
Universitas Negeri Surabaya.
Jalan Lidah Wetan.
Surabaya 60213.
Indonesia 21051@mhs.
Abstract This study aims to evaluate the performance of the Digital Academic Information System (SISD) at XYZ University using the COBIT 2019 framework.
The evaluation focuses on two core academic featuresAiStudy Plan Card (KRS) and Study Result Card (KHS)Aito develop a systematic audit working paper and provide improvement recommendations.
A qualitative case study approach was employed, with data collected through semi-structured interviews involving SISD The analysis was conducted descriptively based on the Deliver.
Service, and Support (DSS) domain of COBIT 2019.
The findings indicate that SISD has achieved Maturity Level 3 (Define.
, with an average score of 3.
This study contributes a practical audit instrument and a Maturity improvement plan to strengthen information system governance in the higher education environment.
addition, the study offers a cost estimation to support comprehensive implementation planning.
Keywords: Information System Audit.
COBIT 2019.
Audit Instrument.
Academic Information System.
Higher Education Received: 1 June 2025.
Accepted: 25 July 2025.
Published: December 2025 To cite this document:
Amaliyah.
Dewi.
Wibawa.
, & Rofik.
Development of Audit Instruments and Maturity Assessment of Academic Information Systems Using COBIT 2019 (A Case Study at XYZ Universit.
JDBIM (Journal of Digital Business and Innovation Managemen.
Vol.
4 Np.
2, pp.
DOI link Putri Amaliyah.
Renny Sari Dewi.
Rindu Puspita Wibawa.
Ainur Rofik Development of Audit Instruments and Maturity Assessment of Academic Information Systems Using COBIT 2019 (A Case Study at XYZ Universit.
*Corresponding author Email: putriamaliyah.
21051@mhs.
Abstrak Penelitian ini bertujuan untuk mengevaluasi kinerja Sistem Informasi Digital Akademik (SISD) di perguruan tinggi XYZ dengan menggunakan kerangka kerja COBIT 2019.
Evaluasi difokuskan pada dua fitur utama, yaitu Kartu Rencana Studi (KRS) dan Kartu Hasil Studi (KHS), guna menyusun kertas kerja audit yang sistematis serta memberikan rekomendasi perbaikan berbasis analisis proses.
Pendekatan penelitian yang digunakan adalah studi kasus kualitatif, dengan teknik pengumpulan data melalui wawancara semi-terstruktur terhadap pengelola SISD.
Analisis dilakukan secara deskriptif berdasarkan domain Deliver.
Service, and Support (DSS) dalam COBIT 2019.
Hasil penelitian menunjukkan bahwa SISD berada pada tingkat Maturity Level 3 (Define.
dengan skor rata-rata 3,15.
Temuan ini menghasilkan instrumen audit yang aplikatif serta rencana peningkatan maturity untuk memperkuat tata kelola sistem informasi di lingkungan perguruan tinggi.
Selain itu, penelitian ini juga memberikan estimasi anggaran sebagai dasar perencanaan implementasi perbaikan secara menyeluruh.
Kata kunci: Audit Sistem Informasi.
COBIT 2019.
Instrumen Audit.
Sistem Informasi Akademik.
Perguruan Tinggi BACKGROUND The academic information system is a fundamental component in supporting higher education administrative activities, particularly in the management of the Study Plan Card (KRS) and the Study Result Card (KHS).
This system is designed to provide efficient and integrated services, thereby fulfilling the academic needs of students and lecturers comprehensively (Alfarizi et al.
, 2023.
Cahyadi et al.
, 2.
However, in its implementation, various issues are still found in academic information systems at several universities, one of which is XYZ University.
Users experience obstacles such as grade data discrepancies, inappropriate credit (SKS) limitations, and technical disruptions in essential features, which directly affect the smooth running of academic processes (Hidayati, 2024.
Khairunnisa et al.
, 2.
These problems indicate weak governance of digital academic services, which should comply with the principles of a secure, reliable, and accountable electronic system as regulated in Government Regulation Number 71 of 2019.
In the context of higher education, the existence of poorly managed information systems can reduce user trust in the institution (Faqih Zubaedi et al.
, 2019.
Utama, 2.
Several previous studies have emphasized the importance of strengthening information technology governance in academic environments, but most have still focused on system development https://ejournal.
id/index.
php/jdbmi/index JDBIM (Journal of Digital Business and Innovation Managemen.
Volume 4 No.
December 2025
E-ISSN 2962-3898
Page 302-316 strategies rather than the direct evaluation of operational aspects.
Specific evaluations of academic system performance based on the COBIT 2019 framework, particularly in the Deliver.
Service, and Support (DSS) domain, are still rarely conducted (Firmansyah et al.
, 2024.
Katami et al.
, 2.
To fill this gap, this study aims to design and implement an audit working paper based on COBIT 2019 in the DSS domain of the academic information system (SISD) at XYZ University.
The results of this audit are expected to provide data-driven improvement recommendations that are relevant to actual conditions and support the continuous improvement of academic service quality (Anadya Tafdhilla et al.
, 2023.
ISACA, 2018.
LITERATURE REVIEW
COBIT 2019 Framework COBIT 2019 is an information technology governance framework developed by ISACA and widely used in IT audit and management This framework consists of five main domains: Evaluate.
Direct, and Monitor (EDM).
Align.
Plan, and Organize (APO).
Build.
Acquire, and Implement (BAI).
Deliver.
Service, and Support (DSS).
and Monitor.
Evaluate, and Assess (MEA), which collectively cover the entire IT management lifecycle (ISACA, 2018a.
Nisri, 2.
This study focuses its analysis on the Deliver.
Service, and Support (DSS) domain because it is directly related to service delivery and the operational management of the academic information system being This domain is considered the most relevant in the context of assessing service effectiveness, handling complaints, and controlling the ongoing digital academic processes.
The DSS subdomains used in this study are presented in Table 1 below.
Table 1.
DSS Subdomains Used in the Study No.
Indeks Domain
DSS01
DSS02
DSS03
DSS06
Domain Name Manage Operations Manage Service Requests and Incidents Manage Problems Managed Business Process Controls Source: COBIT 2019 (ISACA, 2018.
Each subdomain is evaluated based on the COBIT 2019 maturity model, which uses the Capability Maturity Model Integration (CMMI) scheme.
This model categorizes process maturity levels into six stages, ranging from https://ejournal.
id/index.
php/jdbmi/index Putri Amaliyah.
Renny Sari Dewi.
Rindu Puspita Wibawa.
Ainur Rofik Development of Audit Instruments and Maturity Assessment of Academic Information Systems Using COBIT 2019 (A Case Study at XYZ Universit.
Level 0 (Incomplet.
to Level 5 (Optimizin.
, to measure the quality of process implementation in a systematic and sustainable manner (Elue.
ISACA, 2018.
The details can be seen in Figure 1.
Figure 1.
Maturity Level COBIT 2019 (ISACA, 2018.
Applying this model in the audit enables an objective measurement of the academic information system's management capabilities, while also serving as a foundation for formulating system performance improvement recommendations based on a globally standardized framework.
Academic Information System Audit An Information System Audit is a systematic process aimed at evaluating the performance and compliance of an information system with applicable standards, as well as identifying potential deviations in its management (Dewi et al.
, 2024.
Thenu & Rudianto, 2.
This audit includes assessments of applications, infrastructure, and policy compliance, based on the information security principles of Confidentiality.
Integrity, and Availability (NIST, 2.
The primary goal of the audit is to ensure that the information system supports the achievement of the organization's strategic objectives, manages IT risks, and maintains data security and reliability (Permatasari et al.
, 2.
To strengthen the foundation of this research, several relevant previous studies are presented below.
Table 2.
Previous Research Ref (Indra wati et Findings Developed a COBIT 2019-based maturity assessment toolkit in six phases.
Research Gap Focused only on tool applied to specific academic systems.
https://ejournal.
id/index.
php/jdbmi/index Relevance to This Study Supports audit worksheet design using COBIT 2019, aligned with DSS domain JDBIM (Journal of Digital Business and Innovation Managemen.
Volume 4 No.
December 2025
E-ISSN 2962-3898
Page 302-316 Ref (Firma et al.
(Nisri, (Khair et al.
(Saleh et al.
Findings Achieved level 3 .
73 avg.
) on DSS01 at PT Solusi Finansialku.
Security governance in University XYZ reached level 2 on APO12/13 DSS05.
Academic University XYZ scored Level (APO13.
MEA.
and Level 3 (DSS.
Poltesa audit showed 21 .
ange level 2Ae.
, indicating fair maturity.
Research Gap Conducted corporate setting.
directly applicable to academic systems.
Focused on security.
did not assess service delivery in academic Relevance to This Study Provides DSS01 benchmark for evaluating academic IT systems like SISD.
Context-specific setting from SISD in current study.
Provides comparative data using COBIT 2019 on academic IS relevant to SISD Focused only on IT audit in a polytechnic.
lacks academic SISD Confirms COBIT 2019's applicability to audit and performance evaluation in academic IS.
Relevant for comparing DSS domain implementation in academic system audits.
These studies show that COBIT has been widely used in information system evaluations.
however, the academic context has rarely been the main focus.
METHODS
This study employs a qualitative approach using a case study method, aimed at designing and implementing an information system audit instrument based on the COBIT 2019 framework for the Academic Information System (SISD) at XYZ University.
This approach was chosen because it allows the researcher to explore phenomena in depth and in context through direct interaction with the system environment, system administrators, and users of digital academic services.
The research method flow is presented in Figure 2 below.
https://ejournal.
id/index.
php/jdbmi/index Putri Amaliyah.
Renny Sari Dewi.
Rindu Puspita Wibawa.
Ainur Rofik Development of Audit Instruments and Maturity Assessment of Academic Information Systems Using COBIT 2019 (A Case Study at XYZ Universit.
Figure 2.
Research Methods Based on Figure 2, the explanation of each stage is as follows:
Justification for Domain Selection The selection of subdomains DSS01.
DSS02.
DSS03, and DSS06 was carried out using ISACAAos COBIT 2019 Design Toolkit.
The Design Factors were filled in semi-quantitatively through contextual observation of the SISD, interviews with system administrators, and an understanding of the academic business processes at XYZ University.
The results of this justification formed the basis for defining the audit scope.
Design of Audit Instruments After determining the subdomains, this stage involved the preparation of the audit instrument, which consisted of three types of working papers: process audit, checklist audit, and step-by-step These three documents were developed based on indicators from COBIT 2019 to support a systematic and well-directed audit Audit Implementation and Maturity Level Assessment The audit was conducted through semi-structured interviews with SISD administrators, using the previously developed audit working papers.
The assessment focused on KHS and KRS services, referring to the COBIT 2019 Capability and Maturity Level model .
evels 1Ae.
to measure the extent to which each subdomain has been implemented, managed, and standardized in the system's operational context.
Analysis of Findings and Audit Recommendations https://ejournal.
id/index.
php/jdbmi/index JDBIM (Journal of Digital Business and Innovation Managemen.
Volume 4 No.
December 2025
E-ISSN 2962-3898
Page 302-316 The audit results were analyzed to identify gaps between the actual conditions and ideal governance practices.
Based on these findings, strategic improvement recommendations were formulated to enhance the effectiveness of service management and the quality of the information system at XYZ University.
RESULT AND DISCUSSION
Justification for Domain Selection The determination of the audit scope in this study uses ISACA's COBIT 2019 Design Toolkit to align the selection of domains and subdomains with the characteristics of the organization and the system being audited.
The selection process was conducted semiquantitatively through observations of the SISD system, interviews with administrators, and an understanding of academic business processes at XYZ University.
This approach aligns with the principle that Design Factors are organization-specific and practitioner-driven, as explained by ISACA .
In addition.
Bayastura et al.
, .
emphasized that the use of the Design Toolkit allows for a more contextual audit that does not rely solely on the highest numerical To illustrate the entire Design Factors process.
Figure 3 below presents a visualization of the DF1AeDF10 inputs entered into the COBIT 2019 toolkit.
Figure 3.
COBIT 2019 Design Factors https://ejournal.
id/index.
php/jdbmi/index Putri Amaliyah.
Renny Sari Dewi.
Rindu Puspita Wibawa.
Ainur Rofik Development of Audit Instruments and Maturity Assessment of Academic Information Systems Using COBIT 2019 (A Case Study at XYZ Universit.
Based on the modeling results using the COBIT 2019 Design Toolkit, the DSS (Deliver.
Service and Suppor.
domain becomes the top priority because it best aligns with the operational functions of the SISD system, which supports learning activities, academic services, and the management of student and lecturer information.
The selected subdomains are DSS01.
DSS02.
DSS03, and DSS06 as they are directly related to service management, incidents, technical issues, and academic process control.
Meanwhile, other domains such as EDM.
APO, and BAI are more relevant to strategic policies and new system development, and therefore are not the focus in the context of auditing an already operational system (ISACA, 2018.
Design of Audit Instruments The audit instruments designed in this study consist of three types of working papers: Process.
Checklist, and Step-by-Step.
These working papers are developed based on the structure of subdomains and process activities within the DSS domain of COBIT Table 3 presents the detailed relationship between audit documents based on the selected subdomains.
Table 3.
Audit Working Paper Structure Process
Checklist
DSS01
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS02
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS03
DSS03.
DSS03.
DSS03.
Audit Working Papers Step-by-Step DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS01.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
https://ejournal.
id/index.
php/jdbmi/index JDBIM (Journal of Digital Business and Innovation Managemen.
Volume 4 No.
December 2025
E-ISSN 2962-3898
Page 302-316
Process
DSS06
Checklist DSS03.
DSS03.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
Audit Working Papers Step-by-Step DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS03.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
DSS06.
This structure ensures that the evaluation is carried out comprehensively, from the domain level down to the smallest technical activities, enabling auditors to objectively and measurably assess the systemAos maturity and effectiveness.
Audit Implementation and Maturity Level Assessment The audit of the Digital Academic Information System (SISD) system focused on the Study Plan Card (KRS) and the Study Result Card (KHS).
These features serve a strategic function in facilitating academic administrative processes within the digital learning This study adopted a qualitative case study approach, where data were collected through semi-structured interviews and the analysis of relevant supporting documentation.
Informants were selected purposively based on their direct involvement in the development, technical operation, policy decision-making, and overall management of SISD.
These four key individuals represented different perspectives, including system development.
IT infrastructure, operational decision-making, and academic service SISD is an integrated digital learning platform managed by a dedicated directorate at University XYZ.
The platform was designed to support the delivery of online learning in both synchronous and https://ejournal.
id/index.
php/jdbmi/index Putri Amaliyah.
Renny Sari Dewi.
Rindu Puspita Wibawa.
Ainur Rofik Development of Audit Instruments and Maturity Assessment of Academic Information Systems Using COBIT 2019 (A Case Study at XYZ Universit.
asynchronous formats and is integrated with internal academic systems, the national learning management system, and curriculum documents based on the Outcome-Based Education (OBE) The KRS feature allows students to select their courses for the active semester, submit course plans for academic advisor approval, and generate official documentation for academic Meanwhile, the KHS feature enables students to access and print their academic results, which include individual course grades, semester grade point average, and accumulated credit Both features are critical for ensuring transparency, accountability, and efficiency in the digital academic process.
The audit was designed to evaluate the maturity of digital service management processes related to the implementation of the KRS and KHS features.
Specific aspects examined included service availability, clarity of workflow processes, user access control, and the reliability of academic data.
The assessment process was guided by the COBIT 2019 framework and concentrated on four subdomains within the Deliver.
Service and Support (DSS) domain.
These subdomains were DSS01 Manage Operations.
DSS02 Manage Service Requests and Incidents.
DSS03 Manage Problems, and DSS06 Manage Business Process Controls.
The selection of these subdomains was based on their relevance to operational execution, incident handling, problem resolution, and the management of business process controls in academic digital services.
Each subdomain was evaluated using the COBIT 2019 Capability and Maturity Level model, which ranges from Levels 1-5.
This model evaluates the extent to which organizational processes are structured, standardized, documented, repeatable, and continuously improved.
Thematic analysis was applied to the data obtained from semi-structured interviews with four key stakeholders who are directly involved in the development, operation, and management of SISD.
The insights generated were compiled into structured audit working papers, which served as the basis for determining the maturity levels of each subdomain.
The resulting scores provide an overview of the systemAos maturity in managing academic services and are presented in Table 4.
Table 4.
DSS Subdomain Maturity Assessment Results No.
Indeks Domain
DSS01
DSS02
Domain Name Manage Operations Manage Service Requests and Incidents https://ejournal.
id/index.
php/jdbmi/index Value 3,08 2,98 JDBIM (Journal of Digital Business and Innovation Managemen.
Volume 4 No.
December 2025
E-ISSN 2962-3898
Page 302-316
DSS03
DSS06
Manage Problems Managed Business Process Controls Average 3,07 3,47 3,15 Based on the summary in Table 4, the maturity achievements of each subdomain were then visualized in a radar chart in Figure 4 to facilitate interpretation and provide a comprehensive picture of the score variations and areas that need improvement prioritization.
Figure 4.
DSS Assessment Radar Chart The audit results show that the four audited DSS subdomains have an average maturity of 3.
15, which falls under Level 3 (Define.
This indicates that most processes have been consistently implemented and documented according to standards.
However.
DSS02 recorded the lowest score .
, reflecting weaknesses in incident and service request management, particularly in documentation and procedural flow aspects.
Therefore, it is recommended to strengthen documentation, develop clearer technical policies, and increase user awareness of The radar chart in Figure 4 emphasizes the imbalance across subdomains and serves as a basis for prioritizing improvements in academic digital services within SISD.
Findings Analysis and Audit Recommendations The performance audit of the SIDIA information system using the COBIT 2019 framework resulted in several findings within the DSS (Deliver.
Service and Suppor.
domain, which were followed up with implementable improvement recommendations.
Emphasis was https://ejournal.
id/index.
php/jdbmi/index Putri Amaliyah.
Renny Sari Dewi.
Rindu Puspita Wibawa.
Ainur Rofik Development of Audit Instruments and Maturity Assessment of Academic Information Systems Using COBIT 2019 (A Case Study at XYZ Universit.
placed on cost estimates to assist the university in planning resource allocation and making managerial decisions based on actual needs.
Referring to the principles of value delivery and performance management in COBIT 2019, the audit results are not only evaluative but also actionable and cost-aware.
DSS01 (Manage Operation.
The DSS01 domain scored a capability level of 3.
indicating that most operational processes in the Academic Digital Information System (SISD) are documented but not yet fully consistent in terms of monitoring and evaluation.
To enhance this capability to a higher level.
XYZ University needs to:
A Develop SLA & KPI documents for SISD services A Conduct independent audits on outsourced services A Develop an incident reporting system integrated with automatic notifications To implement these improvements optimally, the estimated budget required is between IDR 111,000,000 and IDR 188,000,000.
DSS02 (Manage Service Requests and Incident.
The DSS02 domain received a capability score of 2.
indicating that incident handling processes in SISD are not yet managed optimally and sustainably.
To enhance this process capability.
XYZ University is recommended to:
A Strengthen documentation of incident handling procedures A Improve the technical capacity of service staff A Build a more responsive and integrated reporting system The estimated cost to implement these recommendations is IDR 43,500,000 to IDR 66,500,000.
DSS03 (Manage Problem.
The DSS03 domain showed a capability score of 3.
indicating that problem management in SISD is functioning with basic documentation but lacks a structured root cause analysis.
To enhance this capability.
XYZ University should:
A Establish root cause analysis procedures A Implement a more integrated problem logging and monitoring The estimated budget required to support these improvements ranges from IDR 22,000,000 to IDR 31,500,000.
https://ejournal.
id/index.
php/jdbmi/index JDBIM (Journal of Digital Business and Innovation Managemen.
Volume 4 No.
December 2025
E-ISSN 2962-3898
Page 302-316 DSS06 (Manage Business Process Control.
The DSS06 domain scored 3.
47, showing that academic process control is in place but still needs reinforcement in terms of security, auditability, and compliance.
XYZ University is advised to:
A Add an audit trail feature to SISD A Apply the principle of user task separation A Schedule periodic audits of academic digital activities The estimated cost to implement these improvements is IDR 37,000,000 to IDR 52,500,000.
If all improvement recommendations are implemented to increase SISD process capabilities to a higher level, the total estimated cost required by XYZ University is expected to range from IDR 213,500,000 to IDR 338,500,000, depending on the chosen technology approach and optimization of internal resources.
CONCLUSION
This study concludes that the maturity level of the Academic Digital Information System (SISD) at XYZ University is positioned at Level 3 (Define.
, based on the audit findings of four subdomains within the Deliver.
Service, and Support (DSS) domain of the COBIT 2019 frameworkAinamely DSS01.
DSS02.
DSS03, and DSS06Aiwith an average capability score of This result indicates that the institution has implemented digital academic service processes in a documented and consistent manner.
However, several areas still require enhancement, particularly in the management of service requests and incidents (DSS.
, which obtained the lowest score of 2.
The proposed recommendations for improvement include the reinforcement of procedural documentation, the development of a responsive and integrated reporting system, and the implementation of additional security controls and audit trail mechanisms.
Should all proposed enhancements be executed to elevate the maturity level to a higher stage, the estimated financial investment required ranges between IDR 213,500,000 and IDR 338,500,000, depending on the technological approach and the extent of internal resource optimization.
This study is limited in scope to the DSS domain and was conducted within the context of a single higher education institution.
Consequently, the https://ejournal.
id/index.
php/jdbmi/index Putri Amaliyah.
Renny Sari Dewi.
Rindu Puspita Wibawa.
Ainur Rofik Development of Audit Instruments and Maturity Assessment of Academic Information Systems Using COBIT 2019 (A Case Study at XYZ Universit.
findings may not be generalizable to other academic institutions or information systems.
Future research is therefore encouraged to broaden the scope of the audit to include additional COBIT domains, adopt quantitative or mixed-method research approaches, and develop a standardized evaluation framework that is applicable across multiple Moreover, the implementation of periodic and continuous audits is strongly recommended to ensure the sustainability of service quality and to accommodate evolving user needs and advancements in academic information technology.
REFERENCES