Information Technology Governance Audit Using COBIT 5 Framework in the Disaster Management Office
1Komang Devi Tripika Dewi, 2I Putu Agung Bayupati, 3I Ketut Adi Purnawan
Information Technology Department, Faculty of Engineering, Udayana University
Jimbaran, 80361 Bali, Indonesia
1[email protected] ; 2[email protected]; 3[email protected]
Abstract
Audit of alignment of governance and information technology is carried out to assess the level of readiness and condition of the organization in managing information technology governance. One of the agencies that require the implementation of IT governance is the XYZ Disaster Management Operations Control Unit which has a function as the organizer of information systems, disaster data and information centers, namely recipients, processors, and information contributors as well as the center for implementing disaster services. This audit was conducted to determine the level of IT process capability based on COBIT 5 standards and determine the level of inequality owned by the XYZ Disaster Management Operations Control Unit. The IT process used is based on the mapping results of the identified business objectives, information technology objectives and information technology processes based on COBIT 5. Then for the questionnaire dissemination to select the IT process based on interest level questionnaire, the capability level questionnaire is disseminated to determine the value of current capability. Data processing from the capability level questionnaire uses the Guttman method, where this method is used to convert answers from respondents with a value of 0 (no answer) and 1 (yes answer) based on level. Data interpretation is done to determine the value of current capability and GAP value. The results of the capability level of the IT process are EDM01, EDM02 and APO09 processes which are at level 3 (Established). The gap found needs to be given an improvement strategy to achieve expected capability, namely, agency 4 (predictable process) by providing recommendations related to steps to achieve the expected capability value. Recommendations and improvements provided using ISO / IEC 15504: 2 2003 and ISO27002 standards obtained by mapping IT processes in COBIT 5.
Keywords-component; Information Technology Audit; Capability Level; COBIT 5; Guttman
1. Introduction
A very fast development of information technology demanding an organization / agency / company to be faster and better in carrying out operations and data processing related to the evaluation of information technology governance. The stages of conducting an audit require a standard that can help to become a valid and realable measurement, so that one of the standards is COBIT 5. The COBIT 5 standard (Control Objectives for Information and Related Technology) is chosen because the COBIT framework is considered to provide the most detailed description of manage and control the regulation of information technology processes that support governance and information technology objectives. COBIT 5 standard also contains data processing by calculating capability level values that represent the level of alignment of information technology objectives and organizational business objectives [1]. COBIT 5 is a development of COBIT 4 where COBIT 5 has adopted ISO / IEC 38500 and ISO / IEC 31000 series on areas of governance, ITIL V3 2011, ISO / IEC 20000, ISO / IEC 27000 series and TOGAF regarding management areas and PRINCE2® which discuss the area of portfolio management and project management [1]. COBIT 5 is not just about the IT process but has included IT governance and project portfolio management for organizations. The process used as a guideline in this study uses COBIT 5 standard, and for data processing performed using the Guttman scale method.
2. Methodology
This sub-chapter describes the stages of research conducted and the methodology of research data processing.
A. Research Stages
The stages carried out in this research are in Figure 1.
Fig.1 Audit Process
The steps taken include the selection of IT processes in COBIT 5, as well as data collection consisting of interviews, observation and questionnaires, questionnaires processing, data analysis including the value of current capabilities and the expected level of capability, improvement of strategies based on COBIT 5 and framework best practices of ISO27002 and ISO / IEC 15504: 2 2003 with COBIT mapping and final conclusions.
B. Guttman Method
The Guttman Scale was developed by Louis Guttman (1944, 1950) and was first used as part of a classic work of the Americans soldiers. The Guttman scale is applied to a set of binary questions (0 and 1). The purpose of this analysis is to get one firm answer like "Yes" and "No", "True" and "False" etc. [2]. The initial stages of data processing can be done by converting answers to each respondent where the answer "no" is converted to a value of 0 and the answer "yes" to a value of 1. The conversion results are formulated by looking for the average conversion value from the binary value which is obtained, divided with the number of questions for respondents (the number of questions in question is the number of questions from level 0-5) (1) [3]. Then the normalization process is carried out where the value obtained from the average number of conversions per level (level 0 - level 5) is divided by the total number of overall conversions (2). Afterward, normalization process is conducted where value obtained from the results of the previous normalization multiplied by the level in each domain process consisting of levels 0-5 (3). Calculating capability level domain data is obtained from the results of the level normalization process which is summed to get the result value from the capability level based on the id process (4). The value of the IT process id is obtained from the number of capability level values in each respondent in each domain process divided by the number of respondents in each domain process (5). The value of the current capability (current condition) is obtained from the total number of capability values in each IT process id divided by the number of IT processes contained in each IT process (6) [4].
(1)
𝑵𝑳 = N × L (3)
𝑪𝑳𝒊 = NL0 + NL1 +NL2+NL3+NL5+NL4 (4)
(5)
(6)
3. Results and Discussion
This section discusses the results of mapping using the COBIT 5 framework and the results of data processing using the Guttman scale method.
A. Data Processing Results of Interest Level
From the results of interest data processing, it can be seen that there are five IT processes having the highest value. The five processes are at the same level, which is very important based on the results of questionnaires with top level respondents and with the authorities responsible for IT in the organization. Of the five IT processes, only three were implemented, namely EDM01, EDM02 and APO09 according to the agreement with the agency. The diagram of the results of the interest level data is shown in Figure 2.
Fig.2. Data Results Level of Interest
B. Capability Processing
Previous
capability value processing has been discussed in the Guttman method formula.
The data processing results in Figure 3 are the process after calculating the
capability level domain data obtained from the level normalization process.
Figure 3 below shows an example of calculating the capability level in the IT
process of EDM01 id 01 at level 0-5:
Fig. 3. Example of Capability Level Data Processing EDM01.01 by Ms. Exel
C. Results of Capability Level Data Processing
Capability model is one method of measuring information technology processes by mapping each process to its capability status. The capability level represents the capability of the IT process at the Disaster Management Operation Control Center which is shown in the form of value. Capability level calculation is done by calculating compliance at each level and then obtaining the value of compliance level obtained. The values obtained from each level and then added up. The results of data processing values in the TI EDM01, EDM02 and APO09 processes so that values gap in Table 1 are found.
Table 1. Data Capability Level
IT Process |
Current Capability (CC) |
Expected Capability (EC) |
GAP (EC-CC) |
EDM01 |
3, 33 |
4 |
4 - 3.33 = 0.67 |
EDM02 |
3.20 |
4 |
4 - 3.20 = 0.80 |
APO09 |
3.25 |
4 |
4 - 3.25 = 0.75 |
Average Gap |
0.74 |
D. Audit Recommendation
Recommendation improvements is arranged in order to overcome and reduce the value of the gap (GAP) obtained. The following are recommendations prepared based on each IT process. Recommendations are prepared based on the acquisition of levels in the IT process EDM01, EDM02 and APO09.
4. Conclusion
In this paper, audit of governance and information technology alignment is carried out to determine the level of IT process capability based on COBIT 5 standard and determine the level of inequality owned by XYZ Disaster Management Operations Control Unit. The audit research on information technology governance that has been carried out which include observation and interviews within the agency/organization environment, planning, domain selection consisting of stages of identification of IT objectives, data collection, data processing, data analysis and providing advice and repair recommendations. It is found that there are 28 IT processes in COBIT 5 that are aligned with business goals and objectives. 3 IT processes are considered to have a very high level of interest by respondents, namely EDM01, EDM02 and APO09. The result of the organization's expected capability is at level 4 - Predictable Process with the GAP value of 0.74. From the resulting GAP, recommendations are made to improve the GAP value.
References
[1] ISACA, A Business Framework for Governance and Management of Enterprise IT, United States of America: ISACA, 2012.
[2] Abdi, H (2010). Correspondence analysis. In NJ Salkind (Ed.): Encyclo
[3] FR Pratiwi Suwarno "Evaluation of Information Technology Governance Using COBIT 5 Framework Focusing onProcesses Manage Relationship (APO08) Case Study: PT OTO Multiartha, Jakarta: Syarif Hidayatullah State Islamic University; 2014.
[4] Dwi Iskandar, Kursini, M. Rudyanto Arief, "Audit of Information Technology Governance at Private Universities in Surakarta", Journal of INFORMA Polytechnic Indonusa Surakarta, Vol. 3, No. 1, 2017.