Journal ofRenewable Renewable Energy.
Electrical, and Computer Engineering Journal of Energy.
Electrical, and Computer Engineering, 2 .
38-46 Vol.
No.
March 2022, 38-46 e-ISSN: 2776-0049 DOI: https://doi.
org/10.
29103/jreece.
Research Original Article Information Technology Governance Audit Using COBIT 5 of DSS Domain (Deliver.
Service.
And Suppor.
Framework at Malikussaleh University Lhokseumawe Safwandi1.
Muthmainnah2, & Misbahul Jannah3 1 Technical Information Department.
Faculty of Engineering.
Universitas Malikussaleh.
Bukit Indah, 24352.
Lhokseumawe.
Indonesia 2 Information Systems Department.
Faculty of Engineering.
Universitas Malikussaleh.
Bukit Indah, 24352.
Lhokseumawe.
Indonesia 3 Electrical Engineering Department.
Faculty of Engineering.
Universitas Malikussaleh.
Bukit Indah, 24352.
Lhokseumawe.
Indonesia nCCorresponding Author: muthmainnah@unimal.
id | Phone: 6285225766980 Received: February 20, 2022 Revision: March 18, 2022 Accepted: March 27, 2022 Abstract Information technology is very important for companies or institutions to support the achievement of the company's strategic plans to achieve their goals, vision, and mission.
Nowadays, an institution can improve the performance of information technology that goes hand in hand with the development of information technology to produce better technology by auditing information technology governance in the company.
The purpose of this study is to analyze IT governance using the COBIT 5 framework in the DSS domain at Malikussaleh University Lhokseumawe.
COBIT 5
provides a comprehensive framework that helps companies achieve their goals in corporate governance and IT The framework helps companies create optimum value from IT by maintaining a balance between realizing benefits and optimizing risk and resource usage levels.
By conducting an audit of information technology governance in the company, the company can find out whether the information technology that has been operating is in accordance with the business processes and company objectives and convey accurately based on the IT strategy.
The results of the information technology governance audit based on COBIT 5 in the DSS Domain, on average are at 2 (Manage proces.
6 (Established Proces.
Keywords: COBIT5.
IT Governance.
Capability Level.
Introduction Information technology plays a very important role for companies or institutions to support the achievement of the company's strategic plan to achieve the goals of the company or institution's vision, mission and objectives .
Nowadays, most of the management agrees on necessity of Auorganizational strategic playerAy.
As organizationAos strategy changes over time, it has to change too.
Now the company can improve the performance of information technology that has been running with the development of information technology to produce better technology by conducting information technology governance audit on the company.
By conducting information technology governance audit at the company, the company can find out whether the information technology that has been operating is in accordance with the business processes and objectives of the company and delivered accurately based on IT strategic .
Governance is helpful to guide and control an organization in achieving the previously planned goals.
The presence of information technology governance would likely support an organization to perform its IT in order to be more focused and able to coordinate between the process and existing benefits .
IT governance is a corporate governance framework that concentrates on the strategic IT resources particularly on its management and assessment.
Moreover, the main objectives of IT governance are aimed to ensure that investments in IT resources add value to the corporation by risk reduction.
In carrying out the analysis, a standard is needed that can help make valid and reliable measurements occur.
In this study, the standard used is COBIT 5.
The COBIT (Control Objectives for Information and related Technolog.
standard was chosen because the COBIT framework provides the most detailed description of strategy and control in IT process settings that support the alignment of business strategies and IT objectives .
The studies regarding IT governance evaluation thru COBIT 5 framework have been conducted by various .
The selection of COBIT 5 is appropriate for carrying out the information technology audit process because it covers all elements of information technology governance.
It is not centered solely on technical issues in technology but also sees other resources that drive information technology governance towards organizational goals.
Journal of Renewable Energy.
Electrical, and Computer Engineering, 2 .
38-46 The domain used in this audit process is Deliver.
Service, and Support (DSS) and the maturity test of each process from the domain using capability level was performed .
Literature Review Information Technology Audit Information technology studies are the process of gathering and evaluating evidence to determine whether a computer system can secure assets, maintain integrity, encourage the achievement of organizational governance effectively and use resources efficiently .
Information technology audit in general is a process of collecting data and evaluating evidence to determine whether a computerized application system has been implemented and has implemented an internal control system that is commensurate, all activities are properly protected or misused and data integrity is guaranteed, reliability and effectiveness and efficiency in organizing computer-based information.
The implementation of audits is able to provide information related to the level of asset security, maintaining data integrity, encouraging the achievement of organizational goals effectively, using resources efficiently, and knowing the maturity level of information technology, as well as producing recommendations for achieving optimal maturity levels .
IT Governance IT governance is defined as a structure of relationship and process that can guide an organization in its efforts to achieve the goals by providing added value from the use of information technology by taking into account the risks and results obtained .
IT governance is the duty of executive management stakeholders to supervise and implement an IT strategy that aims to ensure alignment between IT and business, identify a matrix to ensure the business value of IT and to manage IT risk effectively .
COBIT 5 COBIT (Control Objectives for Information and related Technolog.
is a standard guide to information technology management practices and a set of best practices documentation for IT governance that can help auditors, management, and users to bridge the gap between business risk, control needs, and technical issues .
COBIT 5 provides a comprehensive framework that helps companies achieve their goals in corporate governance and IT governance.
The framework helps companies create optimum value from IT by maintaining a balance between realizing benefits and optimizing risk and resource usage levels.
The COBIT Framework 5 makes a clear distinction between governance and These two disciplines cover different types of activities, require different organizational structures and serve different purposes.
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.
Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.
COBIT 5
enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.
COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector .
Figure 1.
Basic Principles of COBIT Domain Process of COBIT 5 The processes in COBIT 5 are divided into 2 areas, namely the area of governance and management as presented in Figure 2.
The process description for each domain is presented in Table 1.
The two areas consist of 5 domains and 37 processes .
The differences in the scope of governance and management are as follows:
Journal of Renewable Energy.
Electrical, and Computer Engineering, 2 .
38-46 Governance of Enterprise IT Governance ensures that company goals can be achieved by evaluating the needs, conditions, and preferences of stakeholders through priorities and making decisions on agreed directions and goals.
Governance control consists of evaluate, direct, and monitoring (EDM).
Management of Enterprise TI Management functions as a planner.
It builds, carries out, and monitors activities that are in line with the direction set by the governance body to achieve company goals.
Management controls consist of:
Align.
Plan and Organize (APO) APO Process aligns, plans and organizes 2.
Build.
Acquire and Implement (BAI) BAI Process builds, obtains, and implements Deliver.
Service and Support (DSS) DSS Process consists of delivery, service, and support.
Monitor.
Evaluate and Assess (MEA) MEA process supervises, evaluates, and assesses.
Figure 2.
COBIT 5 Governance and Management Key Areas5 Cobit 5 Process Reference Model COBIT 5 is not prescriptive, but from the previous text it is clear that it advocates that enterprises implement governance and management processes such that the key areas are covered.
In theory, an enterprise can organise its processes as it sees fit, as long as the basic governance and management objectives are covered.
Smaller enterprises may have fewer larger and more complex enterprises may have many processes, all to cover the same objectives.
Figure 3.
Process Reference Model Journal of Renewable Energy.
Electrical, and Computer Engineering, 2 .
38-46 Capability Level Capability model within COBIT 5 is based on ISO/IEC 15504, the standard on Software Engineering and Process Assessment Model.
The capability level itself is a model that describes how a core process in an organization is implemented.
In addition, it also provides measurement on the performance of processes within the governance or management area.
Within COBIT 5, there are six levels of capability as listed below:
Level 0 (Incomplete Proces.
This process is not implemented or fail to achieve the process objectives.
Level 1 (Performed Proces.
The process is implemented and achieves the process objectives.
Level 2 (Managed Proces.
The currently implemented process managed, monitored, and adjusted.
The appropriate products are maintained and controlled.
Level 3 (Enablished Proces.
The previously managed process is now implemented using the process that is able to achieve its objectives.
Level 4 (Predictable Proces.
The currently implemented and established process is now operable in defining the limit to achieve the process result.
Level 5 (Optimizing Proces.
The process predicted and described before is continuously improved to fulfill the currently relevant business objectives.
Research Methodology Literature Study In this study, a literature study was carried out to find the theoretical basis of previous research either through online journals and materials in the library.
The studies through literature studies include reading, summarizing, and Furthermore, related literature studies used as supporting material to carry out and work on this research.
Literature Review This research used literature study to search for the theories needed for research.
This research is a survey approach.
The analytical tool used in this research is the COBIT standard procedure issued by the ISACA (Information System Audit and Control Associatio.
The process domain used is DSS (Delivery Service, and Suppor.
in the DSS01 Manage Operations process.
DSS02 Manage Service Requests and Incidents.
DSS03 Managing Problems, and DSS06 Managing Business Process Control.
The literature review conducted by the researcher aims to collect the theoretical materials, methods, and governance models needed.
The purpose of literature study is to explore all data and information related to the problems and objects under study.
Review of Strategic Planning Process The study of the strategic planning process is carried out to collect data about the institution which includes the vision, mission, and institutional structure as the object to be studied.
This study is needed as material for researchers' understanding of the strategic planning process, objectives and current conditions of the institution COBIT Domain Selection COBIT domain selection was done by studying institutional documents and having discussions with IT division The COBIT domain was selected to ensure that the process being discussed is in line with the objectives of the institutionAos strategic planning.
Data Collection The research data consists of two types, namely primary data and secondary data.
Primary data is data obtained or collected by researchers directly from data sources.
In this study, primary data were obtained through:
Questionnaire.
The data collection was carried out by distributing questionnaires on information technology governance in the institution.
The questionnaire used to obtain quantitative data related to the company's IT process capability level: current capability level .
s-i.
and the expected level of capability .
o b.
Questionnaires were distributed within people involved in agency governance.
Interviews.
Interviews were conducted to the respondents who previously filled in the questionnaire with the aim that the respondent's understanding of the questions contained in the questionnaire is the same as those intended by the researchers.
Besides, interviews were also conducted to collect data and information related to information technology management.
Interviews were addressed to parties related to planning and implementing IT governance and were used to test the truth and maturity of data and to obtain more complete data.
Researchers analyzed the results of the interviews that had been carried out based on the rating scale on COBIT 5.
Figure 3 shows the steps of the study.
Secondary data is data obtained or collected by researchers from various existing Data Processing After testing the data, then calculation of capability level based on model provided by COBIT was conducted on reliable and valid data.
The analysis results produced the current IT process capability level and the capability level expected by Journal of Renewable Energy.
Electrical, and Computer Engineering, 2 .
38-46 the institution.
Furthermore, information technology processes that are at a low level need special attention to meet the expectations of institutional management.
Gap Analysis At this stage, a comparison was made between the current IT process capability level conditions with the IT process capability level conditions expected by the company.
The comparison aims to analyze the extent to which the current information technology process is in accordance with the conditions expected by the institution Information Technology Governance Planning At this stage, the authors designed information technology governance.
The governance plan designed taking into account the plans for the improvements needed to information technology processes which were made based on the gap analysis obtained in the previous stage.
The improvement plan contains recommendations that must be carried out by the institution with the aim of providing direction to management in order to achieve the expected target level of information technology process capability.
Furthermore, the creation of a governance model was realized in the form of formulating institutional policy proposals related to information technology.
Start Review of business Literature Domain selection Interview Questionnaire Data and processing Current condition Gap Analysis Recommendation Finish Figure 3.
ResearchMethod Result And Analysis The result of calculation of each respondent's responses to questionnaire which has been added up with the score for each control process then were calculated the average value of the capability level to get the capability level value of all respondents as shown in Table 1 to table 6.
DSS01 Manage Operations At this stage, the management of IT operational services that have been determined was analyzed with a description of the process of coordinating and carrying out the activities and operational procedures needed to provide internal IT services and results, including the implementation of predetermined standard operating procedures and the necessary Journal of Renewable Energy.
Electrical, and Computer Engineering, 2 .
38-46 monitoring activities.
The expected process capability model from DSS01 was at level 4, a process that can be predicted from the audit results, as can be seen in table 2.
It can be concluded that the average of DSS01 Management Operations domain processing capability was at the level 2.
4 (Managed Proces.
Table 1.
Capability Level Domain DSS01 N0.
Sub Domain Current Expected DSS01.
Perform operational procedures DSS01.
Manage outsourced IT services DSS01.
Monitor IT infrastructure DSS01.
Manage the environment DSS01.
Manage facilities Average DSS02 Manage Service Requests and Incidents This stage analyzed work, incident management and IT maintenance, with a description of the process of management of requests and service incidents for IT is carried out based on requests related to problems that arise with IT during work processes, incident management and IT maintenance.
The goal is to achieve increased productivity and minimize The expected process capability model from DSS02 was at level 4, a process that can be predicted from the audit results .
ee table .
It can be concluded that the average process capability of the DSS02 domain Manage Service Requests and Incidents was at level 2.
2 (Managed Proces.
Table 2.
Capability Level Domain DSS02 N0.
Sub Domain Define incident and service request Classification schemes.
Record, classify and prioritize Requests and incidents.
Verify, approve and fulfill service Investigate, diagnose and allocate Current Expected DSS02.
Resolve and recover from incidents.
Close service requests and DSS02.
Track status and produce reports.
DSS02.
DSS02.
DSS02.
DSS02.
DSS02.
Average DSS03 Manage Problems At this stage, increased availability, increased service levels, reduced costs, and increased customer comfort and satisfaction by reducing the number of operational problems were analyzed, with process descriptions of identifying and classifying problems and their root causes and providing timely resolution to prevent recurring events.
Provide recommendations for improvement.
The expected process capability model from DSS03 was level 4, a predictable process from the audit results .
ee table .
It can be concluded that the average process capability of the DSS03 Manage Problems domain was at level 2.
6 (Established Proces.
Table 3.
Capability Level Domain DSS03 N0.
Sub Domain Current Expected DSS03.
Identify and classify problems.
DSS03.
Investigate and diagnose problems.
DSS03.
Raise known errors.
DSS03.
Resolve and close problems.
Perform proactive problem Average DSS03.
Journal of Renewable Energy.
Electrical, and Computer Engineering, 2 .
38-46 DSS04 Manage Continuity At this stage, critical business operations were analyzed and information availability was maintained at a level acceptable to the company in the event of a significant disruption, with a process description establishing and maintaining a plan to allow business and IT to respond to incidents and disruptions in order to continue critical business processes and require IT services, and maintain the availability of information at a level acceptable to the company.
The expected process capability model from DSS04 was at level 4, a predictable process from the audit results, which can be seen in table 5.
It can be concluded that the average of process capability of the DSS04 Manage Continuity domain was at 5 (Managed Proces.
Table 4.
Capability LevelDomainDSS04 N0.
Current Expected Maintain continuity strategy.
Develop and implement business Continuity response.
DSS04.
Exercise, test and review the BCP.
Review, maintain and improve the continuity plan.
DSS04.
Conduct continuity plan training.
DSS04.
Manage backup arrangements DSS04.
Conduct post-resumption review.
DSS04.
DSS04.
DSS04.
DSS04.
Sub Domain Define the business continuity policy.
Objectives and scope.
Average DSS05 Manage Security Services This stage analyzed minimizing the business impact of operational information security vulnerabilities and incidents, with a description of the process of protecting company information to maintain the level of information security risk that can be accepted by access and conducting company security monitoring complies with security Defining and maintaining information security roles and rights of the expected process capability model from DSS05 was at level 4, a process that can be predicted from the audit results ( see table .
It can be concluded that the average process capability of the DSS05 Manage Security Services domain was at level 2.
6 (Established Proces.
Table 5 .
Capability Level Domain DSS05 N0.
DSS04.
DSS04.
DSS04.
DSS04.
DSS04.
Sub Domain Protect against malware.
Manage network and connectivity security.
Manage end point security.
Manage user identity and logical access.
Manage physical access to ITassets.
Current Expected DSS04.
Manage sensitive documents and output devices.
DSS04.
Monitor the infrastructure for security- related events.
Average DSS06 Manage Business Process Controls This stage analyzed the maintenance of information integrity and the security of information assets handled in business processes inside or outside the organization.
The process descriptions included define and maintain appropriate business process controls to ensure that information is related to and processed by business processes, meets all relevant information control requirements, identifies relevant information control requirements and manages and operates adequate control to ensure that information processing meets these requirements.
The expected process capability model from DSS06 was at level 4, a predictable process from the audit results .
ee table .
It can be concluded that the average of process capability of the DSS06 Business Process Controls domain was at level 2.
5 (Managed Proces.
Journal of Renewable Energy.
Electrical, and Computer Engineering, 2 .
38-46 Table 6.
Capability Level Domain DSS06 N0.
DSS04.
DSS04.
DSS04.
DSS04.
DSS04.
DSS04.
Sub Domain Align control activities embedded in Business processes with enterprise objectives.
Current Expected Manage errors and exceptions.
Ensurectraceability of information Events and accountabilities.
Secure information assets.
Average Control the processing of information.
Manage roles, responsibilities, access Privileges and levels of authority.
Figure 4.
Figure 5 and Table 7 pointing the level of capability processes of the entire process of the domain of Delivery.
Service, and Support.
Table 7.
Index Level Process Capability of domain Deliver Service and Support
Average Domain
Current
Expected Optimized DSS01
DSS02
DSS03
DSS04
DSS05
DSS06
Figure 4.
Column Graph of Process Capability Domain Deliver,Service and Support Figure 5.
Line Graph of Process Capability Domain Deliver.
Service and Support Journal of Renewable Energy.
Electrical, and Computer Engineering, 2 .
38-46 Conclusion Based on the results of research and analysis carried out in the institution, it can be concluded that the analysis was carried out using COBIT 5 in the DSS (Delivery Service, and Suppor.
domain with a calculation of the capability level, and an average value of 2.
anaged proces.
6 (Established Proces.
was obtained.
COBIT only provides control guidelines and does not provide operational implementation guidelines.
So that it is expected that in the next research process it can use an audit model other than COBIT 5 as COBIT only focuses on control and measurement.
References