Information Technology Governance Audit Using COBIT 5Framework in the Disaster Management Office

1Komang Devi Tripika Dewi, 2I Putu Agung Bayupati, 3I Ketut Adi Purnawan

Information Technology Department, Faculty of Engineering, Udayana UniversityJimbaran, 80361 Bali, Indonesia

1devi.tripika@gmail.com ; 2bayupati@it.unud.ac.id; 3adipurnawan@unud.ac.id

Abstract

Audit of alignment of governance and information technology is carried out to assess the level ofreadiness and condition of the organization in managing information technology governance. One of theagencies that require the implementation of IT governance is the XYZ Disaster Management OperationsControl Unit which has a function as the organizer of information systems, disaster data and informationcenters, namely recipients, processors, and information contributors as well as the center forimplementing disaster services. This audit was conducted to determine the level of IT process capabilitybased on COBIT 5 standards and determine the level of inequality owned by the XYZ DisasterManagement Operations Control Unit. The IT process used is based on the mapping results of theidentified business objectives, information technology objectives and information technology processesbased on COBIT 5. Then for the questionnaire dissemination to select the IT process based on interestlevel questionnaire, the capability level questionnaire is disseminated to determine the value of currentcapability. Data processing from the capability level questionnaire uses the method, where thismethod is used to convert answers from respondents with a value of 0 (no answer) and 1 (yes answer)based on level. Data interpretation is done to determine the value of current capability and GAP value.The results of the capability level of the IT process are EDM01, EDM02 and APO09 processes which areat level 3 (Established). The gap found needs to be given an improvement strategy to achieve expectedcapability, namely, agency 4 (predictable process) by providing recommendations related to steps toachieve the expected capability value. Recommendations and improvements provided using ISO / IEC15504: 2 2003 and ISO27002 standards obtained by mapping IT processes in COBIT 5.

Keywords-component; Information Technology Audit; Capability Level; COBIT 5; Guttman

1. Introduction

A very fast development of information technology demanding an organization / agency / company tobe faster and better in carrying out operations and data processing related to the evaluation of informationtechnology governance. The stages of conducting an audit require a standard that can help to become avalid and realable measurement, so that one of the standards is COBIT 5. The COBIT 5 standard (ControlObjectives for Information and Related Technology) is chosen because the COBIT framework isconsidered to provide the most detailed description of manage and control the regulation of informationtechnology processes that support governance and information technology objectives. COBIT 5 standardalso contains data processing by calculating capability level values that represent the level of alignment ofinformation technology objectives and organizational business objectives [1]. COBIT 5 is a developmentof COBIT 4 where COBIT 5 has adopted ISO / IEC 38500 and ISO / IEC 31000 series on areas ofgovernance, ITIL V3 2011, ISO / IEC 20000, ISO / IEC 27000 series and TOGAF regarding managementareas and PRINCE2® which discuss the area of portfolio management and project management [1].COBIT 5 is not just about the IT process but has included IT governance and project portfoliomanagement for organizations. The process used as a guideline in this study uses COBIT 5 standard, andfor data processing performed using the Guttman scale method.

2. Methodology

This sub-chapter describes the stages of research conducted and the methodology of research dataprocessing.

A. Research StagesThe stages carried out in this research are in Figure 1.

Fig.1 Audit Process

The steps taken include the selection of IT processes in COBIT 5, as well as data collection consistingof interviews, observation and questionnaires, questionnaires processing, data analysis including the valueof current capabilities and the expected level of capability, improvement of strategies based on COBIT 5and framework best practices of ISO27002 and ISO / IEC 15504: 2 2003 with COBIT mapping and finalconclusions.

B. Guttman MethodThe Guttman Scale was developed by Louis Guttman (1944, 1950) and was first used as part of a

classic work of the Americans soldiers. The Guttman scale is applied to a set of binary questions (0 and 1).The purpose of this analysis is to get one firm answer like "Yes" and "No", "True" and "False" etc. [2].

The initial stages of data processing can be done by converting answers to each respondent where theanswer "no" is converted to a value of 0 and the answer "yes" to a value of 1. The conversion results areformulated by looking for the average conversion value from the binary value which is obtained, dividedwith the number of questions for respondents (the number of questions in question is the number ofquestions from level 0-5) (1) [3]. Then the normalization process is carried out where the value obtainedfrom the average number of conversions per level (level 0 - level 5) is divided by the total number ofoverall conversions (2). Afterward, normalization process is conducted where value obtained from theresults of the previous normalization multiplied by the level in each domain process consisting of levels0-5 (3). Calculating capability level domain data is obtained from the results of the level normalizationprocess which is summed to get the result value from the capability level based on the id process (4). Thevalue of the IT process id is obtained from the number of capability level values in each respondent ineach domain process divided by the number of respondents in each domain process (5). The value of thecurrent capability (current condition) is obtained from the total number of capability values in each ITprocess id divided by the number of IT processes contained in each IT process (6) [4].

(1)

(2)

= N × L (3)

= NL0 + NL1 +NL2+NL3+NL5+NL4 (4)

(5)

(6)

3. Results and Discussion

This section discusses the results of mapping using the COBIT 5 framework and the results of dataprocessing using the Guttman scale method.

A. Data Processing Results of Interest Level

From the results of interest data processing, it can be seen that there are five IT processes having thehighest value. The five processes are at the same level, which is very important based on the results ofquestionnaires with top level respondents and with the authorities responsible for IT in the organization.Of the five IT processes, only three were implemented, namely EDM01, EDM02 and APO09 accordingto the agreement with the agency. The diagram of the results of the interest level data is shown in Figure 2.

Fig.2. Data Results Level of Interest

B. Capability ProcessingPrevious capability value processing has been discussed in the Guttman method formula. The data

processing results in Figure 3 are the process after calculating the capability level domain data obtained fromthe level normalization process. Figure 3 below shows an example of calculating the capability level in the ITprocess of EDM01 id 01 at level 0-5:

Fig. 3. Example of Capability Level Data Processing EDM01.01 by Ms. Exel

C. Results of Capability Level Data ProcessingCapability model is one method of measuring information technology processes by mapping each process

to its capability status. The capability level represents the capability of the IT process at the DisasterManagement Operation Control Center which is shown in the form of value. Capability level calculation isdone by calculating compliance at each level and then obtaining the value of compliance level obtained. Thevalues obtained from each level and then added up. The results of data processing values in the TI EDM01,EDM02 and APO09 processes so that values gap in Table 1 are found.

Table 1. Data Capability Level

IT Process Current Capability (CC) Expected Capability (EC) GAP (EC-CC)

EDM01 3, 33 4 4 - 3.33 = 0.67

EDM02 3.20 4 4 - 3.20 = 0.80

APO09 3.25 4 4 - 3.25 = 0.75

Average 0.74

D. Audit RecommendationRecommendation improvements is arranged in order to overcome and reduce the value of the gap

obtained. The following are recommendations prepared based on each IT process. Recommendations areprepared based on the acquisition of levels in the IT process EDM01, EDM02 and APO09.

Domain Respondent Level 0 Level 1 Level 2 Level 3 Level 4 Level 5 CapabilityLevel

ExpectedLevel

MaximumLevel

R1 0 0 0 0 1.33 3.33 4.66 4 5R2 0 0 1.00 1.50 0 0 2.50 4 5R3 0 0 0 0.50 2.00 1.67 4.17 4 5R4 0 0 0 0 3.33 0.83 4.16 4 5R5 0 0 0.67 2.00 0 0 2.67 4 5R6 0 0.33 0.33 0.50 1.33 0 2.49 4 5R7 0 0 0 1.00 2.00 0.83 3.83 4 5R8 0 0 0.33 1.50 1.33 0 3.16 4 5R9 0 0 0 0 2.67 1.67 4.34 4 5R10 0 0 0.33 2.00 0.67 0 3.00 4 5R11 0 0 0.33 1.50 1.33 0 3.16 4 5R12 0 0 0 1.00 2.67 0 3.67 4 5R13 0 0 0 1.00 2.67 0 3.67 4 5

3.50 4 5

EDM01.01

Average Capability Level

4. Conclusion

In this paper, audit of governance and information technology alignment is carried out to determine thelevel of IT process capability based on COBIT 5 standard and determine the level of inequality owned byXYZ Disaster Management Operations Control Unit. The audit research on information technologygovernance that has been carried out which include observation and interviews within the agency/organizationenvironment, planning, domain selection consisting of stages of identification of IT objectives, data collection,data processing, data analysis and providing advice and repair recommendations. It is found that there are 28IT processes in COBIT 5 that are aligned with business goals and objectives. 3 IT processes are considered tohave a very high level of interest by respondents, namely EDM01, EDM02 and APO09. The result of theorganization's expected capability is at level 4 - Predictable Process with the GAP value of 0.74. From theresulting GAP, recommendations are made to improve the GAP value.

References

[1] ISACA, A Business Framework for Governance and Management of Enterprise IT, United States ofAmerica: ISACA, 2012.

[2] Abdi, H (2010). Correspondence analysis. In NJ Salkind (Ed.): Encyclo[3] FR Pratiwi Suwarno "Evaluation of Information Technology Governance Using COBIT 5 Framework

Focusing onProcesses (APO08) Case Study: PT OTO Multiartha, Jakarta: SyarifHidayatullah State Islamic University; 2014.

[4] Dwi Iskandar, Kursini, M. Rudyanto Arief, "Audit of Information Technology Governance at PrivateUniversities in Surakarta", Journal of INFORMA Polytechnic Indonusa Surakarta, Vol. 3, No. 1, 2017.