Information Technology Education Journal Vol.
5 No.
Information Technology Education Journal E-ISSN: 2809-798X.
P-ISSN: 2809-7971
https://journal.
id/index.
php/INTEC/index Maturity Assessment at a University IT Center Using COBIT 2019 EDM and APO Domains Ilka ZufriaA Universitas Islam Negeri Sumatera Utara.
Medan.
Indonesia Muhammad Siddik Hasibuan Universitas Islam Negeri Sumatera Utara.
Medan.
Indonesia
ARTICLE INFO
ABSTRACT
Keywords:
Purpose Ae This study evaluates the capability of IT governance at Pustipada UIN Sumatera Utara Medan to determine whether current technology practices are aligned with institutional strategic objectives, particularly in terms of resource optimization, governance structure, and innovation.
The study addresses the gap between existing governance performance and expected capability levels within higher education Design Ae A descriptive qualitative design was employed.
Data were collected through in-depth interviews with key stakeholders identified using RACI Chart mapping, analysis of SOP and KPI strategic documents, and direct observation of objective alignment.
The evaluation focused on selected COBIT 2019 domains, namely EDM04 .
esource optimizatio.
APO01 .
anagement framewor.
, and APO04 .
Findings Ae The results indicate that the EDM04 domain achieved a capability level of 3 with a score of 2.
24, below the expected level 4 .
, resulting in a gap of 0.
The APO01 domain also reached level 3, indicating moderate maturity in governance structure, while the APO04 domain recorded a lower score of 1.
reflecting weak innovation governance.
These findings confirm that IT governance implementation remains suboptimal and requires systematic improvement.
Research implications Ae The study is limited to a single institutional context, which restricts The reliance on qualitative data and the absence of integrated financial SOPs may also affect the comprehensiveness of governance evaluation and limit deeper performance validation.
Originality Ae This research provides a quantified baseline of IT governance capability within a higher education context in North Sumatra, offering actionable insights and strategic recommendations, particularly in formalizing resource documentation and strengthening governance processes as a roadmap for similar institutions.
APO.
COBIT 2019.
EDM.
IT governance Article History Received: Dec 19, 2025 Revised : Jan 29, 2026 Accepted : Feb 20, 2026 This is an open access article under the CC BY-SA To cite this article : Zufria.
, & Hasibuan.
Maturity assessment at a university IT center using COBIT 2019 EDM and APO domains.
Information Technology Education Journal, 5.
, 18Ae40.
https://doi.
org/10.
59562/intec.
Correspondence Author: Ailkazufria@uinsu.
INTRODUCTION
Information Technology (IT) Governance is a systematic structure used to encourage desired behavior in the use of IT, which includes planning, expenditure/investment management, and IT is often referred to as an important component of corporate governance (Zulkarnain et al.
, 2024.
Harahap & Wasilah, 2.
, both in terms of industry and size (Utomo et al.
, 2.
because currently interest in the role and relevance of IT is increasing rapidly (Amali et al.
, 2.
IT is a combination of computerization and telecommunications for information dissemination activities (Wahyuni et al.
, 2.
The implementation of IT has become one of the factors that determines the defense and expands the strategy and goals of an organization (Amali et al.
, 2.
IT is essential for meeting the accessibility of information and services, having an information system that tends to refer to stakeholder needs, and having quality human resources (Widharto et al.
, 2.
University governance in Indonesia is regulated in the regulation of the Minister of Research.
Technology and Higher Education of the Republic of Indonesia No.
62 of 2017.
Operation and maintenance of IT Information Technology Education Journal | 18 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
systems is a growing theme in the international academic field, largely influenced by the recognition that universities are increasingly dependent on information technology (Suhartini & Herwidyaningtyas, 2.
To monitor the quality of a university, audits are necessary as a form of evaluation and improvement (Yuda et al.
, 2.
An audit is a systematic process of objectively evaluating evidence about statements relating to activities and events, to match those statements to predetermined criteria (Megasyah & Arifnur.
Audits aim to provide assurance that IT processes can monitor assets and control data integrity to implement the business objectives of an organization more efficiently (Fadhilah et al.
The Information Systems Audit and Control Association recently released a new version of the Control Objectives for Information and Related Technology (COBIT) framework.
COBIT 2019, which includes descriptions and solutions for measuring and assessing IT management governance (Utama et al.
, 2.
Referring to the Strategic Plan of UIN Sumatera Utara Medan for 2020-2024, the expected long-term plan is institutional governance to become a good university.
IT governance at UIN Sumatera Utara Medan is operated by the Center for Information Technology and Database (Pustipad.
, which is responsible for all information systems under the domain uinsu.
id (Nasution et al.
, 2.
As the main designer of application development.
Pustipada needs to build IT governance that works according to proven standards.
However.
Pustipada currently faces challenges in ensuring that every rapid technological innovation is accompanied by formal documentation and resource optimization that aligns with university-scale strategic goals.
Previous research by Agung Yulianto Nugroho .
concluded that the flexible application of COBIT 2019 can improve IT Governance capabilities in facing challenges in the era of digital Research at Muria Kudus University by Wabang measured the level of IT management maturity against the gap analysis (GAP) that occurred, resulting in a gap value of 1.
(Wabang et al.
, 2.
Other studies at PT Telekomunikasi Indonesia discussed services to stakeholders, optimizing risks and resources (Martinus et al.
, 2.
Additionally, research by Sipayung .
at Mikroskil University using the BAI11 domain found the current maturity level at level 2 .
and provided suggestions for improvements so that the university's expected goals are met.
While these previous studies have provided valuable insights into COBIT 2019 implementation, there is still a gap in how governance frameworks are integrated with specific organizational accountability tools like the RACI Chart within a State Islamic University context.
This research fills that gap by providing a novelty: an integrative approach that links capability levels with real organizational accountability and strategic document evidence.
Therefore, this research is considered important for IT governance at universities such as UIN Sumatera Utara Medan with the COBIT 2019 framework.
Specifically, this study focuses on the EDM04 (Ensuring Resource Optimizatio.
APO01 (Managing IT Management Framewor.
, and APO04 (Managing Innovatio.
These domains are selected because they directly address Pustipada's current needs to balance human resource capabilities with the high demand for innovative digital services while ensuring that all strategic goals can be achieved and measured.
METHOD
Materials Control Objective for Information Technologies (COBIT) is a product released by the Information Systems Audit and Control Association (ISACA).
ISACA presented COBIT as a comprehensive management guide for evaluating information technology, providing policies, guidelines, practices, and management that are useful for achieving desired objectives and minimizing losses (Zamzami et al.
, 2.
In its historical development.
COBIT began in 1996 (CobiT.
, followed by CobiT2 .
CobiT3 .
, and CobiT4 .
It is critical to note that COBIT 5 was released in 2012, while the latest version.
COBIT 2019, was released in late 2018.
This newer version incorporates enhancements for IT Management for Enterprises and the EDM (Evaluate.
Direct, and Monito.
domain (Safitri et al.
, 2.
COBIT 2019 is built upon deep IT Information Technology Education Journal | 19 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
management experience, integrating scientific insights into a comprehensive framework with two core principles: governance systems and governance frameworks (Dwi Putra et al.
, 2.
The distinction between governance and management within the COBIT framework is illustrated in Figure 1.
Figure 1.
COBIT Summary Based on Figure.
1 the COBIT focus area process describes a specific topic, domain, or control issue that each group can address.
Examples of focus areas include MSMEs, security, digital transformation, cloud computing, privacy, and DevOps.
This publication focuses on the four core COBIT models, which provide a generic governance framework.
There are an unlimited number of focus areas, making COBIT accessible to anyone.
Additional focus areas can be implemented without any restrictions.
Maturity levels are defined for all process activities to ensure appropriate process assignments at various capability levels.
To achieve a good maturity score, all processes must be COBIT 2019 supports the Capability Maturity Model Integration (CMMI) capability scheme, ranging from 0 to 5.
The capability level is a measure of how well a process is implemented and executed.
Research Instrument This study used a closed-ended questionnaire developed based on activity indicators in the EDM04.
APO01, and APO04 domains within the COBIT 2019 framework.
Each questionnaire item represents an activity process measured on a 0-5 Likert scale to determine the current .
s-i.
and expected .
o-b.
capability levels.
Code EDM04.
APO01.
APO04.
Domain / Process Activity Evaluate resource Define the Monitor and scan Assessment Indicators (Scale 0-.
To what extent does Pustipada evaluate IT resource allocation principles? Is the IT organizational structure formally defined and supports operational functions? Are there regular activities to monitor new technology trends to support campus innovation? Research Location and Timeline This research was conducted at the Center for Information Technology and Database (PUSTIPADA) of UIN Sumatera Utara Medan.
Data collection took place over a three-month period, from October to December 2023.
20 | Information Technology Education Journal Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Population and Sampling (Respondent Selectio.
This study employs a Purposive Sampling method, where respondents were selected based on roles and responsibilities relevant to the process domains under investigation (EDM04.
APO01, and APO.
Respondents were systematically identified using the RACI Chart (Responsible.
Accountable.
Consulted.
Informe.
mapping provided in the COBIT 2019 guidelines.
A total of 13 respondents participated in the study.
The variation in the number of respondents for certain processes .
, 11 for "as-is" and 13 for "to-be") is due to technical relevance criteria.
"to-be" assessments included additional managerial stakeholders to determine strategic targets, while "asis" assessments focused strictly on staff executing the operational processes.
Table 1.
Respondent Profile Role/Position Head of PUSTIPADA IT Operations Manager Database Administrator Information Security Manager App Developers/ IT Support Total Respondent Count Justification (Based on RACI) Accountable: Ultimate person in charge off all IT services Responsible: Manager of the IT management framework (APO.
Consulted: Technical executors for data and resource optimization (EDM.
Consulted: Person is charge of security and innovation (APO.
Informed: Operators and daily system Research Instrument and Validity Testing Data were collected using a closed-ended questionnaire based on a 5-point Likert scale .
The questionnaire was structured according to the COBIT 2019 Governance and Management Objectives.
Each item represents a process activity within the EDM04.
APO01, and APO04 domains.
Reliability: The instrument was tested using Cronbach's Alpha.
The test results showed a value > 0.
xceeding the threshold of 0.
, which means the instrument has excellent internal consistency.
Validity: In addition to the questionnaire, data validation was carried out through in-depth interviews and observation of physical evidence documents (Generic Work Product.
such as SOPs.
Chancellor's Decrees, and System Logs.
In this study, the Capability Maturity Level (CML) measurement uses a Likert scale to describe the questionnaire, which is summarized to represent percentages and CML.
This can be described with the following assessment formula:
Calculating the Summary of Questionnaire Answers ya ya = yaycI ycu100% .
As shown in Equation 1, the recapitulation of questionnaire answers .
n the form of percentages for each answer choice 0, 1, 2, 3, 4 or 5 for each activit.
is obtained by dividing the number of CML questionnaire answers for each choice by the number of levels 0, 1, 2, 3, 4 or 5 in each activity by the number of respondents/informants, multiplied by 100%.
Information Technology Education Journal | 21 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Calculating Values and Ability Levels ycAya=.
aycE ycu ycAyco.
aycE ycu ycAyco.
aycE ycu ycAyco.
aycE ycu ycAyco.
aycE ycu ycAyco.
aycE ycu ycAyco.
As shown in Equation 2.
NK represents the CML value in the IT process.
LP represents the percentage level in each distribution of CML questionnaire answers, and Nk is the maturity value in the mapping table of answers, values, and maturity levels.
The capability value can have a non-integer value .
ecimal numbe.
, which represents the process of acquiring the capability level that better shows the stages or classes achieved in the capability process presented in the form of integers.
LPn is the percentage of respondents answering at level n, and Nkn is the level value .
LP is specific to each level.
Calculation Example (EDM04 Domai.
If there are 13 respondents in the EDM04.
01 activity, and the distribution of the answers is:
Level 2: 4 people .
Level 3: 9 people .
Then the calculation is:
ycAya = .
7 ycu .
3 ycu .
= 2.
The result of 2.
69 indicates that the process is at capability level 2 towards level 3 The data collection method describes how to obtain data, the data source section explains the data collection method, while the evidence section explains evidence in the form of documents owned by the organization or company.
The operational table can be seen in Table 2.
Table 2.
The Operational Table COBIT EDM04 (Ensure Resource Optimisatio.
APO01 (Manage the IT Management Framework APO04 (Manage Innovatio.
Opertionalization of the Conceptual Framework Data Source of Obtaining Proof Data Evaluate.
Direct.
Monitor Interview Answering interview Interviews to validate strategy Document questions Strategy Analysis Align.
Plan and Organise Interview Answering interview Interviews to validate company Document questions SOP and KPI documents such as SOPs.
Analysis Reports and Key Performance Indicators Interview Answering interview Interview to validate company Document documents such as additional Analysis Improvements During the interview, questions and answers were conducted directly with relevant sources.
The Head of PUSTIPADA UIN Sumatera Utara Medan.
Mr.
Muhamamad Ikhsan.
Kom, was the resource person in this study.
The questions asked were related to the general overview and current IT governance issues in detail.
These questions covered the vision and mission.
IT management, organizational structure, existing regulations and policies, and all questions related to IT governance.
This interview stage was also used to obtain data regarding the level of capability of other respondents determined based on the RACI chart, where the questions used by the researcher refer to the results of COBIT 2019.
The RACI chart is used to determine and describe the influence and responsibility of individuals in an organization or company (Irawan et al.
, 2.
In addition to 22 | Information Technology Education Journal Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
interviews, researchers also used document analysis as a method in this study.
Documents were analyzed to support the information obtained through interviews and provide a clear explanation of the level of capability.
In addition, other evidence in the form of documents can increase the trust and validity of the evidence on each COBIT objective.
The data collection technique used in this study aims to ensure the relevance and validity of the data (Exacta et al.
, 2.
METHOD
The IT governance data analysis method used in this study aligns with the Assessment Process Activities in COBIT 2019, which include:
Initiation This stage is conducted to obtain information about the organization and its current state, as well as to identify its future aspirations.
At this stage, the domain definition process is also conducted for evaluation and improvement.
Interviews revealed that PUSTIPADA's mission is to continuously provide the best service to the entire academic community, educational staff, and stakeholders through information and communication technology services.
PUSTIPADA uses stakeholder needs as a means to derive value from IT usage, user satisfaction with IT service quality, and IT performance The company's chosen objective is a "competitive product and service portfolio," as shown in Figure 2.
Figure 2.
Desired Company Goals In line with PUSTIPADA's mission, which is to provide high-quality services to all communities and stakeholders to achieve their goals through information and communication technology, the company's goal is a portfolio of competitive products and services.
Furthermore, this company's goal will be in line with the IT-related goals described in COBIT 2019.
The mapping of IT-related goals included in the portfolio of competitive products and services can be seen in Figure 3.
Information Technology Education Journal | 23 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Figure 3.
Mapping of IT-related goals The next stage is to determine the domains that correspond to the mapping in the COBIT 2019 IT-related objectives.
The COBIT 2019 process mapping included in Enabling and supporting business processes by aligning applications and technologies is shown in Figure 4.
Figure 4.
IT-Related Goals to Processes Assessment Planning This stage will explain the list of respondents for the evaluation in accordance with COBIT In determining the respondent results, the organizational structure at PUSTIPADA will be used as a reference, which will be synchronized with the RACI chart maintained by COBIT 2019.
In the RACI chart, only those with responsible roles will be used as evaluation respondents, as responsible roles are those responsible for acquiring and executing tasks.
The following is a list of respondents 24 | Information Technology Education Journal Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
for EDM04 Ensuring Resource Optimization Processes.
APO01 Managing IT Frameworks, and APO04 Managing Innovation, aligned with the RACI chart mapping in Tables 3 and 4.
Table 3.
RACI Chart EDM04 Mapping RACI chart EDM04 on COBIT 2019 Chief Executive Officer (CEO) is a person who holds a position with high responsibility for the entire management of an organization.
The Chief Information Officer (CIO) is the person in the most senior position in a company, who is responsible for aligning business and IT strategies, and is responsible for conceptualizing, allocating resources, and managing the delivery of IT services and solutions to support the company's goals.
Organizational Structure of Pustipada UIN SU Medan The Director of Information Technology and Solutions is a person who is responsible for the group's technology and information aspects, business process improvement and advancement, non-commercial assets, inventory management, health and safety, environmental aspects, to achieve the group's business objectives and strategic The Head of IT Infrastructure and Security Department is a person whose position is responsible for the company's technology solutions in operations and business, as well as improving the short-term goals of information systems and technology.
Table 4.
RACI Chart APO01 and APO04 Mapping RACI chart APO01 on COBIT 2019 Business Executive, namely a senior management individual who has responsibility for the activities of a particular business unit or subsidiary.
Head Development, is a senior individual who is responsible for IT related to development process Head Architect, is a senior individual responsible for enterprise architecture.
Information Security Manager is an individual who is responsible for managing, monitoring, and assessing a company's information security.
Organizational Structure of Pustipada UIN SU Medan The Director of Information Technology and Solutions is a person who is responsible for the group's technology and information aspects, business process improvement and advancement, non-commercial assets, inventory management, health and safety, environmental aspects, to achieve the group's business objectives and strategic vision.
Application Department Head is someone who is responsible for developing IT-based application systems in a company and is responsible for managing group methods and architectural management processes.
IT Infrastructure and Security Head is someone whose responsibilities include managing the strategy and architecture of the management Database Administrator is someone who is responsible for managing a company's service support system by ensuring system security.
Data Collection Data collection is conducted by establishing output requirements for each process to be implemented at PUSTIPADA, using COBIT 2019 as a reference.
This is to demonstrate that the capability level achieved within the specified process domain has been met and to enable a concrete evaluation of process coverage.
Information Technology Education Journal | 25 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Data Validation By validating that the documentation provided by respondents is accurate and covers the assessment area correctly, this opens up the opportunity to validate the findings of the documents presented by respondents according to the established RACI Chart process domains.
Process Attribute Level The assessment is conducted by referring to the data validated in the previous step, summarizing all processes within the defined process domain and then examining the Generic Work Products (GWP) at each stage within the defined process domain to determine whether the processes meet the documentation criteria required at each level.
Reporting Results Report the results, activities for each process, and gaps from the IT governance assessment to promote suggestions made by the researchers to address current deficiencies based on the research findings, in accordance with the COBIT 2019 framework.
RESULTS AND DISCUSSION
After the data is processed, the results of the output requirements examination for each process in COBIT 2019 are obtained, namely EDM04 (Ensuring Resource Optimizatio.
APO01 (Designing IT Framewor.
, and APO04 (Managing Innovatio.
This output serves as evidence of the evaluation assessment in the stage to be assessed.
The results of the output requirements examination that must be met by PUSTIPADA are shown in tables 5-7.
The process in table 5 aims to ensure that the company's resource needs are met optimally.
IT costs are optimized, and there is a possibility of increasing the application of benefits and willingness to change in the future.
Table 5.
EDM04 (Ensure Resource Optimizatio.
Process Output.
Key Management Practice EDM04.
01 Evaluate resource EDM04.
02 Direct resources EDM04.
03 Monitor resource Outputs Guiding principles for the distribution of resources and Guiding principles for enterprise architecture Approved resource concept Communication of resource distribution strategy Assignment of responsibility for resource management.
Principles for preserving resources Feedback regarding the distribution and success of resources and Revision actions to address violations in resource management.
The process in table 6 aims to establish a stable management approach so that the governance requirements of an organization or company can be implemented optimally, including management processes, roles and responsibilities, repeatable and reliable activities, organizational structure, and expertise and capabilities.
Table 6.
APO01 (Manage the IT Framewor.
Process Output.
Key Management Practice APO01.
01 Define the organisational structure APO01.
02 Establish roles and APO01.
03 Maintain the enablers of the management system Outputs Description of organizational structure and functions Organisational operational guidelines Basic rules in communication Description of IT related roles and responsibilities Description of supervisory practices IT related regulations 26 | Information Technology Education Journal Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
APO01.
04 Communication management objectives and APO01.
05 Optimise the placement of the IT function APO01.
06 Define information .
and system ownership APO01.
07 Manage continual improvement of processes APO01.
08 Maintain compliance with policies and procedures Communication about IT targets Evaluation of options for IT organisation Clearly described operational placement of IT functions.
Data classification guide Data security and monitoring guide Data integrity mechanisms Process capability evaluation Process improvement prospects Goals and performance metrics for process improvement Corrective actions for non-compliance The processes in domain APO04 aim to achieve competitive dominance, business renewal, and optimize operational effectiveness and efficiency by leveraging advances in information This evaluation is based on six key management practices, which produce the output evidence shown in Table 7.
Table 7.
APO04 (Manage Innovatio.
Process Output.
Key Management Practices APO04.
01 Create an environment conducive to innovation APO04.
02 Maintain an understanding of the enterprise APO04.
03 Monitor and scan technology environment APO04.
04 Assess the potential of emerging technologies and innovation ideas APO04.
05 Recommend appropriate further initiatives APO04.
06 Monitor the implementation and use of Outputs Innovation targets Validation and reward program The probability of innovation is related to business drivers Research study on innovation opportunities Evaluate renewal ideas The scope of the examination of the concept and outline of the business validity study Test results from proof-of-concept initiatives Results and recommendations from proof-of-concept initiatives Analysis of unaccepted initiatives Assessment of the implementation of innovative approaches Evaluate the benefits of the update Customized innovation targets To verify the data, an evaluation calculation was performed to obtain the results of the PUSTIPADA capability level.
The questionnaire calculation in this study used the Likert Scale method and respondents who played roles according to the RACI chart contained in COBIT 2019.
The current success rate at PUSTIPADA is shown in tables 8-12.
In accordance with table 8, for the EDM04.
01 process, namely the evaluation of resource management, it can be concluded that most respondents in assessing the current condition .
s i.
are at capability level 3 with a response percentage of 2.
24%, meaning that in the resource evaluation process there is management consisting of planning and monitoring activities.
Meanwhile, for the targeted condition .
o b.
, most respondents assess the capability level at level 4 with a response percentage of 2.
62%, meaning that PUSTIPADA expects the resource management evaluation process that has been carried out to achieve the previously targeted results.
For example, in a strategic IT document that defines enterprise architecture management that is adjusted every 3 years, it is expected to achieve results in accordance with the previously set plan.
Information Technology Education Journal | 27 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Table 8.
Recapitulation Results of EDM04.
01 Questionnaire Answers.
The level of examining and making decisions about strategy, providing IT resources and developing capabilities to meet current and future needs as is Select one of the 0,00 0 0,00 0 27,27 3 54,55 6 9,09% 1 9,09% as is or to be to be Select one of the 0,00 0 0,00 0 7,69% 1 15,38 2 46,15 6 30,77 as is or to be The level of determines the principles to guide the allocation and management of resources as is Select one of the 0,00 0 8,33 1 25,00 3 50,00 6 8,33% 1 8,33% as is or to be to be Select one of the 0,00 0 0,00 0 8,33% 1 8,33% 1 50,00 6 33,33 as is or to be The level of examining and approving resource plan strategies and enterprise architecture to deliver value and reduce risk with allocated resources as is Select one of the 0,00 0 8,33 1 16,67 2 41,67 5 25,00 3 8,33% as is or to be to be Select one of the 0,00 0 0,00 0 0,00% 0 16,67 2 50,00 6 33,33 as is or to be The level of understanding the need to align resource management with agency finance and human resource planning as is Select one of the 0,00 0 0,00 0 27,27 3 54,55 6 9,09% 1 9,09% as is or to be to be Select one of the 0,00 0 0,00 0 7,69% 1 7,69% 1 46,15 6 38,46 as is or to be The level of determining the principles of management and control of the enterprise as is Select one of the 0,00 0 0,00 0 53,85 7 23,08 3 7,69% 1 15,38 as is or to be to be 28 | Information Technology Education Journal Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Select one of the as is or to be Select one of the as is or to be Current The expected Condition 0,00 0,00 9,09% 36,36 36,36 18,18 0,00 8,33 0,00% 25,00 33,33 33,33 0,00 0,00 0,17 0,08 1,50% 2,24% 0,59% 0,50% 0,33% 1,09% 2,62% 1,87% In accordance with what is in table 9, for the EDM04.
02 process, namely resource management guidelines, it can be concluded that most respondents in assessing the current condition .
s i.
are at capability level 3 with a response percentage of 1.
93%, meaning that most respondents have the opinion that the resource management guidelines process at PUSTIPADA already has guidelines related to resource management, such as strategy implementation instructions through routine communication.
Meanwhile, for the targeted condition .
o b.
, most respondents assess the capability level at level 4 with a response percentage of 2.
33%, meaning that PUSTIPADA hopes that the resource management guidelines process in the future can be arranged periodically, such as planning and monitoring activities.
As with strategic communication activities targeted in the future, these can be documented constantly.
Table 9.
Recapitulation Results of EDM04.
02 Questionnaire Answers.
The level of communicating and driving implementation of agreed resource management strategies, principles, and resource plans as is Select one of the as 0,00 0 0,00 0 41,67 5 33,33 4 25,00 3 0,00% is or to be columns % to be Select one of the as 0,00 0 0,00 0 0,00% 0 33,33 4 33,33 4 33,33 is or to be columns % The level of assigning responsibility for implementing resource management as is Select one of the as 0,00 0 8,33 1 8,33% 1 50,00 6 16,67 2 16,67 is or to be columns % to be Select one of the as 0,00 0 0,00 0 0,00% 0 16,67 2 50,00 6 33,33 is or to be columns % The level of defining key objectives, measures and metrics for resource management as is Select one of the as 0,00 0 0,00 0 27,27 3 45,45 5 27,27 3 0,00% is or to be columns % to be Select one of the as 0,00 0 0,00 0 15,38 2 15,38 2 53,85 7 15,38 is or to be columns % The level of establishing principles related to resource maintenance as is Select one of the as 0,00 0 0,00 0 23,08 3 30,77 4 23,08 3 23,08 is or to be columns % to be Information Technology Education Journal | 29 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Select one of the as 0,00 0 0,00 0 0,00% 0 27,27 3 45,45 5 27,27 is or to be columns % The level of alignment of resource management with agency finance and human resource as is Select one of the as 0,00 0 8,33 1 33,33 4 33,33 4 25,00 3 0,00% is or to be columns % to be Select one of the as 0,00 0 0,00 0 0,00% 0 33,33 4 16,67 2 50,00 is or to be columns % Select one of the as 0,00 0 8,33 1 0,00% 0 25,00 3 33,33 4 33,33 is or to be columns % Current condition 0,00 0,17 1,34% 1,93% 1,17% 0,40% The expected 0,00 0,08 0,15% 1,51% 2,33% 1,93% Condition Based on table 10, for the EDM04.
03 process, namely resource management supervision, it can be concluded that most respondents in assessing the current condition .
s i.
are at capability level 3 with a response percentage of 43.
58%, meaning that the resource management supervision process has been managed well, such as monitoring the performance achievement results produced by employees using the KPI (Key Performance Indicato.
document guide.
Meanwhile, for the targeted condition .
o b.
, most respondents assess the capability level at level 5 with a response percentage of 36.
5%, meaning that PUSTIPADA expects that in the future the resource management supervision process can reach the planned target.
For example, in human resource management supervision, it is expected that the performance produced is in accordance with the references listed in the KPI (Key Performance Indicato.
Table 10.
Recapitulation Results of EDM04.
03 Questionnaire Answers.
The level of monitoring the allocation and optimization of resources in accordance with agency goals and priorities using agreed objectives and metrics as is Select one of the 0,00 0 0,00 0 28,57 4 42,86 6 21,43 3 7,14% as is or to be to be Select one of the 0,00 0 0,00 0 10,00 1 30,00 3 20,00 2 40,00 as is or to be The level of assigning responsibility for implementing resource management as is Select one of the 0,00 0 0,00 0 18,18 2 54,55 6 27,27 3 0,00% as is or to be to be Select one of the 0,00 0 0,00 0 0,00% 0 9,09% 1 54,55 6 36,36 as is or to be The level of defining key objectives, measures and metrics for resource management as is 30 | Information Technology Education Journal Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Select one of the as is or to be to be Select one of the as is or to be Current The expected Condition 0,00 0,00 0,00 0,00 0,00 8,33 0,00 2,78 25,00 0,00% 23,92 3,33% 33,33 25,00 43,58 21,36 33,33 33,33 27,34 35,96 8,33% 33,33 5,16% 36,56 As shown in Table 11, for the APO01.
01 process, namely the determination of the organizational structure, it can be concluded that most respondents in assessing the current condition .
s i.
are at the capability level 3 with a response percentage of 46.
93%, meaning that the process of determining the organizational structure at PUSTIPADA, including planning and supervision, has been managed.
Meanwhile, for the expected condition .
o b.
, most respondents assessed the capability level at level 4 with a response percentage of 57.
71%, meaning that PUSTIPADA hopes that in the future the process that has been carried out can obtain maximum Such as in the activity of determining investment program priorities which is expected to achieve targets according to what has been planned.
Table 11.
Recapitulation Results of APO01.
01 Questionnaire Answers The level of determining the scope, internal and external roles, capabilities, and decisions required for IT activities carried out by third parties as is Select one of the as 0,00 0 0,00% 0 25,00 2 62,50 5 12,50 1 0,00% is or to be columns % to be Select one of the as 0,00 0 0,00% 0 0,00% 0 20,00 2 60,00 6 20,00% is or to be columns % The level of identifying decision-making needs to achieve corporate outcomes and IT strategy as is Select one of the as 0,00 0 0,00% 0 11,11 1 55,56 5 22,22 2 11,11% is or to be columns % to be Select one of the as 0,00 0 0,00% 0 0,00% 0 11,11 1 55,56 5 33,33% is or to be columns % The level of engagement with stakeholders is critical to decision making as is Select one of the as 0,00 0 0,00% 0 12,50 1 37,50 3 50,00 4 0,00% is or to be columns % to be Select one of the as 0,00 0 0,00% 0 0,00% 0 0,00% 0 70,00 7 30,00% is or to be columns % The level of aligning information technology with enterprise architecture as is Select one of the as 0,00 0 0,00% 0 0,00% 0 55,56 5 33,33 3 11,11% is or to be columns % to be Information Technology Education Journal | 31 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Select one of the as 0,00 0 0,00% 0 0,00% 0 12,50 1 37,50 3 50,00% is or to be columns % The level of assigning roles and responsibilities to each function in the IT structure as is Select one of the as 0,00 0 0,00% 0 28,57 2 42,86 3 28,57 2 0,00% is or to be columns % to be Select one of the as 0,00 0 0,00% 0 0,00% 0 10,00 1 40,00 4 50,00% is or to be columns % The level of establishing management structures and relationships, to support management functions and roles in line with established governance directions as is Select one of the as 0,0 0 0,00% 0 25,00 2
25,00
2 37,50
3 12,50%
is or to be columns 0% to be Select one of the as 0,0 0 0,00% 0 0,00 0,00% 0 55,56 5 44,44% is or to be columns 0% The level of establishing an IT strategy committee as is Select one of the as 0,0 0 14,29% 1 14,29 1
28,57
2 42,86
3 0,00%
is or to be columns 0% to be Select one of the as 0,0 0 0,00% 0 0,00 0,00% 0 60,00 6 40,00% is or to be columns 0% The level of forming an IT steering committee to determine IT investment program priorities in line with the company's business strategy as is Select one of the as 0,00 0 11,11 1 11,11 1 55,56 5 11,11 1 11,11% is or to be columns % to be Select one of the as 0,00 0 0,00% 0 0,00% 0 12,50 1 75,00 6 12,50% is or to be columns % The level of providing guidance for each management structure as is Select one of the as 0,00 0 0,00% 0 14,29 1 57,14 4 28,57 2 0,00% is or to be columns % to be Select one of the as 0,00 0 0,00% 0 0,00% 0 10,00 1 50,00 5 40,00% is or to be columns % The level of establishing ground rules for communicating by identifying communication needs as is Select one of the as 0,00 0 0,00% 0 12,50 1 50,00 4 25,00 2 12,50% is or to be columns % to be Select one of the as 0,00 0 0,00% 0 0,00% 0 11,11 1 66,67 6 22,22% is or to be columns % 32 | Information Technology Education Journal Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
The level of establishing and maintaining optimal coordination, communication and relationship structure between business and IT functions as is Select one of the as 0,00 0 0,00% 0 12,50 1 50,00 4 37,50 3 0,00% is or to be columns % to be Select one of the as 0,00 0 0,00% 0 0,00% 0 11,11 1 55,56 5 33,33% is or to be columns % The level of regularly verifying the adequacy and effectiveness of the organizational structure as is Select one of the as 0,00 0 0,00% 0 14,29 1 42,86 3 28,57 2 14,29% is or to be columns % to be Select one of the as 0,00 0 0,00% 0 0,00% 0 11,11 1 66,67 6 22,22% is or to be columns % Select one of the as 0,00 0 0,00% 0 0,00% 0 25,00 2 37,50 3 37,50% is or to be columns % Current condition 0,00 2,12% 15,10 46,93 29,81 6,05% The expected 0,00 0,00% 0,00% 9,12% 57,71 33,17% Condition Based on table 12, for the APO01.
02 process, namely the preparation of roles and responsibilities, it can be concluded that most respondents in assessing the current condition .
s i.
are at the capability level 3 with a response percentage of 46.
2%, meaning that the process of preparing roles and responsibilities has been managed in PUSTIPADA which includes planning and supervision activities.
Such as the supervision activities of roles and responsibilities which are carried out routinely once a month already have guidelines listed in the yellow book and KPI (Key Performance Indicato.
which describes the code of ethics.
Meanwhile, for the expected state .
o b.
, most respondents assess the capability level at level 4 with a response percentage of 67.
4%, meaning that in the future PUSTIPADA expects the processes that have been implemented to achieve the targeted results.
As in supervision activities, the code of ethics that must be adhered to by each employee is expected to be able to manage every action that will be carried out by employees.
Table 12.
Recapitulation Results of APO01.
02 Questionnaire Answers.
The level of assigning, agreeing, and communicating IT-related responsibilities to all employees in the company as is Select one of the 0,00 0 0,00% 0 16,67% 1 66,67% 4 16,67% 1 0,00% as is or to be to be Select one of the 0,00 0 0,00% 0 0,00% 0 20,00% 2 60,00% 6 20,00% as is or to be The level of considering IT service requirements and continuity when defining roles, including staff reserves and training as is Information Technology Education Journal | 33 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Select one of the as is or to be to be 0,00 0,00% 42,86% 28,57% 14,29% 14,29% Select one of the 0,00 0 0,00% 0 0,00% 0 11,11% 1 66,67% 6 22,22% as is or to be The level of providing advice for ongoing IT service processes by maintaining current information and role descriptions as is Select one of the 0,00 0 14,29 1 14,29% 1 42,86% 3 28,57% 2 0,00% as is or to be to be Select one of the 0,00 0 0,00% 0 0,00% 0 11,11% 1 55,56% 5 33,33% as is or to be The level of inclusion of roles and explanations of responsibility for compliance with management rules, procedures, codes of ethics, and professional practices as is Select one of the 0,00 0 0,00% 0 42,86% 3 14,29% 1 42,86% 3 0,00% as is or to be to be Select one of the 0,00 0 0,00% 0 0,00% 0 22,22% 2 66,67% 6 11,11% as is or to be The level of implementing supervisory practices to ensure that roles and responsibilities are carried out correctly as is Select one of the 0,00 0 0,00% 0 0,00% 0 57,14% 4 42,86% 3 0,00% as is or to be to be Select one of the 0,00 0 0,00% 0 0,00% 0 0,00% 0 66,67% 6 33,33% as is or to be The level of ensuring accountability is defined through roles and responsibilities as is Select one of the 0,00 0 0,00% 0 14,29% 1 57,14% 4 28,57% 2 0,00% as is or to be to be Select one of the 0,00 0 0,00% 0 0,00% 0 0,00% 0 88,89% 8 11,11% as is or to be The level of ensuring a structure of roles and responsibilities to reduce the possibility of single roles during critical processes as is 34 | Information Technology Education Journal Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Select one of the as is or to be to be Select one of the as is or to be Select one of the as is or to be Current
The expected Condition 0,00 0,00 0,00 0,00% 14,29% 57,14% 28,57% 0,00% 0,00% 0,00% 0,00% 66,67% 33,33% 0,00% 0,00% 25,00% 37,50% 37,50% 0,00 0,00 2,04% 20,75% 46,26% 28,91% 2,04% 0,00% 0,00% 9,21% 67,30% 23,49%
Based on table 13, for the APO01.
03 process, namely the maintenance of management system support, it can be concluded that most respondents in assessing the current condition .
s i.
are at capability level 1 with a response percentage of 58.
33%, meaning that currently it is an ongoing process in PUSIPADA to maintain management system support.
Because there is already an evaluation process with existing governance standards.
Meanwhile, for the expected condition .
o b.
, most respondents assess the capability level at level 3 with a response percentage of 61.
meaning that PUSTIPADA aims that in the future the processes that have been implemented can achieve the desired results, for example when covering governance activities, the expected improvements can be implemented in accordance with the references that have been given.
Table 13.
Recapitulation Results of APO01.
03 Questionnaire Answers.
Activity Status Gain an understanding of the company's vision, direction, and strategy Consider the company's internal environment, including management culture and philosophy, risk tolerance, security, ethical values, code of conduct, and accountability Acquire and integrate IT principles with business Answer Distribution (%) As is To be As is To be As is Align the IT control environment with the overall IT policy environment To be As is To be Align with applicable national and international governance and management standards As is To be Create a set of rules to direct IT control on key relevant topics such as quality, security, control Evaluate and update policies at least annually to accommodate changes in the business Implement IT policies for all related employees As is To be Ensure that procedures are in place to track 9 compliance with rules and determine consequences for violating them Present condition As is To be As is To be As is To be Information Technology Education Journal | 35 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
The expected conditions Judging from the overall results of the capability calculations in the EDM04 domain, from the current state to the expected state, the results of the GAP analysis and references for PUSTIPADA UINSU are as shown in table 14.
Table 14.
Recapitulation Results of GAP and Recommendations in EDM04.
Domain
As is Capability (Established As is 2,24 To be Capability (Predictable To be Score
GAP
Recommendations 0,36 EDM04.
(Resource (Established 1,93 (Predictable 2,33 EDM04.
(Resource (Established (Optimisin.
7,08 PUSTIPADA UINSU must meet the capability indicators at level 3 which have not been met.
Such as creating documentation regarding financial SOPs PUSTIPADA UINSU can be managed periodically, including As with strategic communication activities, it is hoped that in the future it can be documented regularly.
PUSTIPADA in the process of monitoring resource management can achieve the targets that have been planned.
For example, in management, it is hoped that the resulting performance will be in accordance with what is stated in the KPI (Key Performance Indicato.
EDM04.
(Evaluatio n of Based on the overall results of the calculation of capabilities in the APO01 domain, from the current state to future expectations, the results of the GAP analysis and providing references for PUSTIPADA UINSU are as in table 15.
Table 15.
Recapitulation Results of GAP and Recommendations in APO01.
Domain As is Capability APO01.
(Establishin Organizatio Structur.
(Establishe.
APO01.
(Establish Roles and (Establishe.
As is To be Capability (Predictabl.
(Predictabl.
36 | Information Technology Education Journal
To be Score
GAP
Recommendations PUSTIPADA will ensure that the processes that have been implemented can achieve optimal results.
As in the activity of determining priorities for investment programs which are expected to achieve targets in accordance with the plans that have been made PUSTIPADA is expected to increase supervision of the code of ethics that must be adhered to by every existing It is hoped that it can Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Responsibili APO01.
(Maintain Managemen t System Enable.
(Incomplet.
58,33 (Establishe.
61,11 2,78 regulate every action that will be carried out by employees.
PUSTIPADA will ensure that the processes that have been implemented can achieve the targeted results, for example during governance evaluation activities it is hoped that improvements will be carried out in accordance with the recommendations that have been Capability Level Calculation for APO04 Capability levels were calculated using the Likert Scale method with relevant respondents based on the RACI Chart mapping.
Based on the data processing results, the following is a summary of the scores for the APO04 domain:
Table 16.
Questionnaire Recapitulation and Capability Level of APO04 Domain Process Description APO04.
Create an environment conducive to innovation Maintain understanding of enterprise environment Monitor and scan technology Assess potential of emerging Recommend further initiatives Monitor implementation of Managing Innovation (APO.
APO04.
APO04.
APO04.
APO04.
APO04.
Average Current Capability (As-i.
1,60 Expected Capability (To-b.
3,00 1,55 3,00 1,45 1,50 3,00 1,50 1,65 3,00 1,35
1,55
1,63
3,00
3,00
1,45
1,37
1,58
3,00
1,42
GAP
1,40
Interpretation and GAP Analysis Based on the data in Table 16, several conclusions can be drawn regarding the condition of innovation governance at PUSTIPADA:
Current Condition (As-i.
: Domain APO04 obtained an average score of 1.
This indicates that innovation management is at an early stage, where processes such as technology monitoring (APO04.
and new idea assessment (APO04.
have not been formally standardized or consistently documented compared to domain EDM04 which has reached level 3 .
Targeted Condition (To-b.
: PUSTIPADA expects to increase capabilities to level 3.
This target is set so that the innovation management process can run in a planned manner and be monitored periodically, similar to the expectations in domain EDM04 which targets results according to the strategic plan.
Analysis of GAP: There is a gap (GAP) of 1.
This figure represents the largest gap among the domains studied, indicating the need for immediate strategic steps to formalize innovation award programs, develop business validity studies, and conduct structured proofof-concept trials to close the gap.
Information Technology Education Journal | 37 Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Contextual Discussion and Comparative Analysis The findings at PUSTIPADA UINSU provide a clear reflection of the maturity of IT governance in the Indonesian State Islamic University (PTKIN) sector.
When compared to Wabang et al.
who found a gap of 1.
63 in similar APO domains at Muria Kudus University.
PUSTIPADAAos gaps .
anging from 0.
27 to 2.
suggest a more varied level of internal readiness.
Furthermore, compared to Sipayung et al.
and Utomo et al.
, whose research achieved Level 2 and Level 3 respectively in different COBIT domains.
PUSTIPADA's performance in EDM04 (Level .
is typical for a well-structured public institution.
However, the underperformance in APO04 (Level .
is below average for institutions of this scale.
This suggests that while PUSTIPADA is efficient at "maintaining" existing resources (EDM.
, it struggles with "transformative" governance.
The implication for university IT governance in Indonesia is that institutions must shift their focus from mere administrative compliance to establishing proactive innovation pipelines and maintaining the "management system" as a living entity rather than a static document.
Research Limitations This study acknowledges several limitations that may affect the generalizability of the results:
Scope of Institution: The study is limited to a single state university (UIN Sumatera Utara Meda.
, which may have unique bureaucratic characteristics not present in private or nonIslamic universities.
Sample Size: The study relied on 13 key respondents identified via the RACI chart.
While these were the most relevant stakeholders, a broader sample might yield more diverse perspectives.
Self-Report Bias: The use of questionnaires and interviews is subject to self-report bias, although this was mitigated by cross-referencing answers with physical document evidence.
Framework Specificity: The study focused exclusively on three COBIT 2019 domains.
Other domains or the integration of different frameworks .
uch as ITIL or ISO 27.
might provide additional governance insights.
CONCLUSIONS
The assessment of IT governance at PUSTIPADA UIN Sumatera Utara using the COBIT 2019 framework reveals a dual-layered maturity profile.
Processes within the EDM04 (Ensuring Resource Optimizatio.
and APO01 (Managing IT Management Framewor.
domains have generally reached Level 3 (Establishe.
, indicating that resource evaluation, organizational structures, and role definitions are managed periodically and aligned with institutional Key Performance Indicators (KPI.
In contrast, the APO04 (Manage Innovatio.
domain remains at a lower maturity stage (Level .
, with a significant gap of 1.
41 toward the desired established state.
While operational monitoring is present, the lack of formalized innovation pipelines and systematic proof-of-concept evaluations prevents the institution from fully aligning its technological advancements with strategic long-term The overarching finding of this study identifies APO04 (Manage Innovatio.
and APO01.
(Maintain Management Enabler.
as the domains requiring the most urgent attention.
The high gap scores in these areas signify that while the "People" and "Structure" enablers of governance are functional, the "Process" and "Policy" enablers are underdeveloped.
PUSTIPADA currently operates on an established but reactive basis.
to transition to a proactive and predictable governance state (Level .
, the institution must formalize its IT resource management strategies and develop integrated financial SOPs.
Addressing these gaps is critical to ensuring that rapid technological innovations do not outpace the institutional capacity to govern them.
For future research, it is recommended to expand the evaluative scope by utilizing different measurement scales, such as the Guttman or rating scales, to capture more nuanced qualitative data.
38 | Information Technology Education Journal Author : Ilka Zufria, et.
al | Title : Maturity Assessment at a UniversityA | DOI : 10.
59562/intec.
Furthermore, applying different COBIT 2019 domains particularly within the Build.
Acquire, and Implement (BAI) focus area would provide a more holistic view of the IT lifecycle.
Finally, integrating complementary frameworks such as ISO/IEC 27001 for security or ITIL for service management is suggested to provide a comparative benchmark and ensure that UIN Sumatera UtaraAos IT governance meets international best practices.
REFERENCES