CC BY
753
Assessment IT Governance of Human Resources Information System Using COBIT 5
Johanes Fernandes Andry, Hartono, Aziza Chakir
Abstract— The textile industry in Yogyakarta is one of the industries that manage human resources in the field of information technology. As one way to achieve organizational goals that have human resources that are able to develop and provide benefits for the organizations. This study focuses on the attendance information system in the textile industry located in Yogyakarta, which aims to get an overview of how far the industry provides a timely and effective response to user requests of all types of incidents. Problem found by the researchers is the occurrence of inaccuracies data on the attendance, with these inaccurate results it will automatically affect the salary results are not accurate. In this research, the authors use the framework COBIT 5 and focus on the Deliver Service and Support (DSS) domain. Researchers chose a subdomain DSS that is DSS02. The results of this research are found that sub-domains DSS02 get an average capability level is 2.4. The conclusion is the capability level obtained by the attendance information system is still below the expected level.
Keywords— Audit, Human Resources Information System, COBIT 5, DSS.
implementation and development activities, human resources are still being developed and also planning to meet and in accordance with the objectives of management in implementing human resource development in the field of information technology.
This study focuses on the attendance information system in the textile industry located in Yogyakarta, which aims to get an overview of how far the industry provides a timely and effective response to user requests of all types of incidents. Problems found by the researchers are the occurrence of inaccuracies data on the attendance of either the enter/rest/or home, where one part there is not filled. With these inaccurate results, it will automatically affect the salary results are not accurate. An Audit performed using the framework COBIT 5. COBIT is one of the ISACA output framework often used by auditors to audit information systems. This research will use the domain of Deliver Service and Support (DSS). In this domain, authors focus on sub-domains DSS02.
I. Introduction
Human resources are a key and important component in every organization. The higher the performance of human resources, the higher the organization's performance. Therefore, it is very important for every organization to have a good employee in accomplishing the given tasks and so, providing information to the organization. Ideally, employees will work at the best level they have for what they want for their workplace [1].
With the increasing influence of globalization and technology, organizations have begun using information systems in various functions and departments in the last decade. Human resource management is one department that mostly uses management information systems [2], [3]. The Human resource unit within the organization now puts more emphasis on information sharing, especially affecting the workforce [2], [4], [5].
The textile industry in Yogyakarta is one of the industries that manage human resources in the field of information technology. As one way to achieve organizational goals that have human resources that are able to develop and provide benefits for the organization. In the process of
Johanes Fernandes Andry is Senior Lecturer in Department of Information Systems, Faculty of Technology and Design, Universitas Bunda Mulia, North Jakarta, 114430, Indonesia (e-mail: jandry@bundamulia.ac.id). Hartono was students information systems in Universitas Bunda Mulia (email: hartonoaka97@gmail.com), Aziza Chakir is Faculty of Law, Economics and Social Sciences Hassan II University, Casablanca, Morocco(e-mail: azizal chakir@gmail.com).
II. Related Literature and Studies A. Assessment
Assessment is a systematic and continuous process or activity to gather information about processes and outcomes in order to make decisions based on certain criteria and considerations. The definition of the assessment was also presented by Raplh Tyler who revealed that assessment is a process of collecting data to determine the extent to which, in what way, and how goals have been achieved [7].
Processes for Governance of Enterprise it Evnlittlf, Diittl and №iij[w
Figure 1. COBIT 5 Framework [13]
B. COBIT 5
COBIT 5 is the overall framework that can help companies achieve their objective for corporate IT governance and management. COBIT 5 simply helps
companies create the optimal value of IT by maintaining a balance between gaining profits and optimizing the risk and use of resources [9].
According to [11], [12], [13], [14] there are six levels of the COBIT 5 Process Capability Model, shown in Table 1. Process Capability Model & Figure 1. COBIT 5 Framework.
COBIT 5 is general and useful for all sizes of companies, whether commercial, non-profit or government or public. COBIT 5 has five key principles for corporate governance and IT management. These five principles enable companies to build an effective governance and management framework, which can optimize the investment and use IT to benefit stakeholders [9].
In COBIT 5 there is a process reference model that defines and explains in detail the governance and management processes. The reference process model in COBIT 5 is the development of the COBIT 4.1 process model, by integrating the process model from Risk IT and Val IT [9].
The process reference model in COBIT 5 divides corporate governance and IT management processes into two major process domains [9, 10]:
1. Governance contains five governance processes, which will be determined in each Evaluate Direct, and Monitor (EDM) process consisting of 5 processes.
C. Human Resource Information System (HRIS) Human Resource Information System is an information system, which is used to track data related to HR. This one of the Management Information Systems. There are many changes in how employee data is stored before compared to the current system in the organization. It Integrates information such as employee details, payroll, benefits, performance tracking, and assessment, etc. Technological advances cause many changes in HR management. Data storage is now shifting from manual ledgers and books to computer hard drives and magnetic tapes. Data storage becomes easier and many manual jobs are deleted. Human Resource Management is then seen as a strategic development platform that deals with the most important resources of any organization. Hence it becomes known as Strategic HR Management (SHRM). Human Resource Management has made a total when the HR Information System is brought into implementation [8].
2. The management, containing four domains, is parallel to the responsibility areas of Plan, Build, Run, and Monitor (PBRM), and also provides end-to-end IT coverage. This domain is an evolution of the domain and process structure in COBIT 4.1, i.e.:
• Align, Plan, and Organize (APO), consists of 13 processes.
• Build, Acquire, and Implement (BAI), consists of 10 processes.
• Deliver, Service, and Support (DSS), consist of 6 processes.
• Monitor, Evaluate, and Assess (MEA), consists of 3 processes.
In COBIT 5 the previous level has to completely achieve first, to achieve a given level of capability [11, 12].
Table 1: Process Capability Model [13]
Level Capability Description
Level 0: Incomplete Process The process is not implemented or it cannot reach its objective. At this level, the process has no objective to achieve. For this reason, this level has no attribute.
Level 1: Performed process The implementation of the process to achieves its own purpose. This level has only one process attribute which is "Process Performance".
Level 2: Managed process The process at level 1 in implementation into a process setting (planned, monitored, and evaluated) and the work product of the process is properly defined, controlled and maintained. This level has two process attributes which are "Performance Management" and "Work Product Management".
Level 3: Established process Processes at level 2 are implemented using a defined process and are able to achieve process results. This level has two process attributes which are "Process Definition" and "Process Deployment".
Level 4: Predictable process Processes at level 3 run within defined boundaries to achieve process results. This level has two process attributes which are "Process Management" and "Process Control".
Level 5: Optimizing process Processes at level 4 at continuously upgraded to meet current and future organizational goals. This level has two process attributes which are "Process Innovation" and "Process Optimization".
III. Methods
In this research, the methodology and research stages used are started from the literature study until the submission of an audit report in Figure 2 stage of research.
Methods of data collection to be used here are through interviews and from literature studies. This study focuses on Domain DSS02 and processes DSS02.01, DSS02.02 DSS02.03, DSS02.04, DSS02.05, DSS02.06, and DSS02.07. DSS02 is used because DSS02 Managed Service Requests and Incidents in the company. DSS02 is used because this process serves to provide a timely and effective response to user requests and their resolution of all types of incidents. Restore service as normal, record and fulfill user requests and record, investigate, diagnose, level, and resolve incidents.
Figure 2: Stage of research [6]
IV. Results and Analysis
In this section researcher will discuss the process DSS02 on COBIT 5. This section will be discussed the results of capability level analysis, and recommendations on each process.
4.1 DSS02 Managed Service Requests and Incidents
This process serves to provide a timely and effective
response to user requests and their resolution of all types of incidents. Restore service as normal, record and fulfill user requests and record, investigate, diagnose, level, and resolve incidents. The purpose of these sub-domains is to achieve increased productivity and minimize disruption through the quick settlement of user questions and incidents. In this process there are 7 sub-processes:
• DSS02.01 Define Incident and Service Request Classification Schemes.
• DSS02.02 Record, Classify and Prioritize Request and Incidents.
• DSS02.03 Verify, Approve and Fulfil Service Requests.
• DSS02.04 Investigate, Diagnose and Allocate Incidents.
• DSS02.05 Resolve and Recover from Incidents.
• DSS02.06 Close Service Requests and Incidents.
• DSS02.07 Track Status and Produce Reports.
4.2 DSS02.01 Define Incident and Service Request Classification Schemes
The description in DSS02.01 is to define the scheme and model of the classification of demand and services. In this sub-process, there are seven activities used for capability level assessment.
The results of interviews on this sub-domain are the company has procedures that must be done by the company when an error occurs that is handling directly, but not in the document/poured into the form of SOP documents. Based on the analysis, these sub-domains reach the process attribute 2.2 that is Work Product Management, and then the capability level is at level 2 that is Managed Process.
4.3 DSS02.02 Record, Classify and Prioritize Requests and Incidents
The description in DSS02.02 is to identify the record and classify service and incident requests, and set priorities according to the criticality and business service agreements.
In this sub-process, there are three activities used for capability level assessment.
The results of interviews on this sub-domain are the company has procedures such as recording when an error occurs on the IT support form and then input into the IT logbook so that it can facilitate the settlement in the case of the same problem and the company has not sorted the problem notes from the most important to the least important. Based on the analysis, these sub-domains reach the process attribute 3.2 which is Process Deployment, and then the capability level is at level 3 that is Established Process.
4.4 DSS02.03 Verify, Approve and Fulfil Service Requests
The description in DSS02.03 is to select the appropriate query procedure and make sure that the service request meets the specified query criteria. Get approval, if necessary, and fulfill the request. In this sub-process, there are three activities used for capability level assessment.
The results of interviews on this sub-domain are the company may request assistance to developers when an application error occurs, even without an agreed SLA (Service Level Agreement). Based on the analysis, these sub-domains reach the process attribute 2.2 that is Work Product Management, and then the capability level is at level 2 that is Managed Process.
4.5 DSS02.04 Investigate, Diagnose and Allocate Incidents
The description in DSS02.04 is to identify and record incident symptoms, determine possible causes, and allocate for resolution. In this sub-process, there are three activities used for capability level assessment.
The results of interviews on this sub-domain are the company will record an unexplained error in the IT logbook, so it can facilitate the same problem-solving in the future. The company also will make efforts to resolve errors that occur in the application before consulting with the developer. If the problem is difficult to resolve, the company will consult with the developer. Based on the analysis, these sub-domains reach the process attribute 3.2 which is Process Deployment, and then the capability level is at level 3 that is Established Process.
4.6 DSS02.05 Resolve and Recover from Incidents
The description in DSS02.05 is to document; implement and test identified solutions and perform recovery actions to restore IT related services. In this sub-process, there are four activities used for capability level assessment.
The results of interviews on this sub-domain are the company will record the solution of the error solution to the IT logbook when the error has been resolved. The company also has a server that is used to back up important data owned by the company so that when a disaster or unexpected thing happens, the company can recover its existing data on the server. Based on the analysis, these sub-domains reach the process attribute 3.2 that is Process Deployment, and then the capability level is at level 3 that is Established Process.
4.7 DSS02.06 Close Service Requests and Incidents
The description in DSS02.06 is to verify the settlement of
a problem that satisfies or fulfills the request and closes it. In
this sub-process, there are two activities used for capability level assessment.
The results of interviews on this sub-domain are the company will verify with the developer if the problem in the application has been resolved, but only a call using the phone does not use the ticket provided by the developer. Based on the analysis, these sub-domains reach the process attribute 2.1 that is Performance Management, and then the capability level is at level 1 that is Performed Process.
4.8 DSS02.07 Track Status and Produce Reports
The description in DSS02.07 is to track, analyze and report events on a regular basis and request trend fulfillment to provide continuous improvement information. In this sub-process there are four activities used for capability level assessment.
The results of interviews on this sub-domain are the company has been recording IT problems that have occurred, and there is a periodical bookkeeping of errors that occur in the IT logbook. Based on the analysis, these sub-domains reach the process attribute 3.2 which is Process Deployment, and then the capability level is at level 3 that is Established Process.
Table 2: Capability level results
Based on the above analysis, the capability level of each process in the domain Deliver, Service, and Support (DSS) stage can be seen in table 2.
DSS02 Managed Service Requests and Incidents
> Current level > Expected level DSS 02.01
Figure 3: Capability Level on sub-domain DSS02
In Table 2 the DSS02 (Managed Service Requests and Incidents) results in a state that the average capability level is 2.4. In the sub-processes, DSS02.01 and DSS02.03 achieve level 2 capability, DSS02.02, DSS02.04, DSS02.05, and DSS02.07 have reached capability level 3. And only
DSS02.06 reaches capability level 1. This shows that the attendance information system running on this company based on the DSS02 process (Managed Service Requests and Incidents) has not yet reached the level of capability that the company expects. The results can also be applied in figure 3 Capability level on sub-domain DSS02.
4.9 Gap Analysis and Recommendations Based on the analysis of capability level that yields the average level of capability in sub-process DSS02, then compared the expected level obtained. The gap is a distance from the average capability level to the expected level. The expected level is the level of capability expected by the company; the expected level is above one level of the current level of capability. The gap analysis on the DSS02 sub-process is shown in Table 3.
In the results of a gap analysis on the process or subdomain DSS02 it is known that the DSS02 gap of 0.6, it is known the average level capability of this process is 2.4. The expected level in DSS02 is level 3 established processes. DSS02 has 7 sub-processes, there are two sub-processes that are in level 2 managed processes, four other sub-processes are in level 3 established processes, and one sub-process is in level 1 performed process. To be able to eliminate the gap, the company must increase the level of capability by implementing the following recommendations:
• Make a classification of the types of problems served, so it is easy to map to the division that will directly solve the problem.
• Create classification schemes and priorities of reported service requests, so as to prioritize service and incident requests based on business impact and urgency.
• Sort the problem notes based on the most important to the least important in order to facilitate the search in the future.
• Always verify, approve, and fulfill service requests and incident.
• Keep improving identification and recording of event symptoms, and determining the right solutions, so as to facilitate the resolution of the same problem in the future.
• Perform regular backups of company data on the server on a regular basis to minimize unwanted data loss.
• Always verify with the developer if the problem has been resolved.
• Improve and maintain regular monitoring of reports of events.
Always analyze incident events by category and type for identifiable patterns of recurring problems that do not happen again.
V. Conclusion
From the research conducted, can be concluded that the operational activities running in this company are running well enough and procedures in providing a timely response
Table 3 : Gap Analysis
Sub-process The Average level of capability Expected level Ga p
DSS02 2.4 3 0.6
DSS02 Managed Service Requests and Incidents Current level Expected level
DSS02.01 2 3
DSS02.02 3 3
DSS02.03 2 3
DSS02.04 3 3
DSS02.05 3 3
DSS02.06 1 3
DSS02.07 3 3
Average of 2.4 3
are good enough just still not optimal. Based on the results of this research, the conclusion is that the sub-domain DSS02 Managed Problem average capability level is 2.4 and still below the expected level.
Suggestion for the company, in order to achieve the expected level of capability, the advice is to implement the recommendations given. And perform periodic audits on the information system used.
References
[1] H. Tannady, and T. Sitorus. Role Of Compensation, Organization Culture, And Leadership On Working Motivation Of Faculty Member (Study Case : Universities In North Jakarta ). Vol. 19, no. 10, pp. 4147, 2017.
[2] A. F. Karikari, P. A. Boanteng, and E. O. N. D. Ocansey. The Role of Human Resource Information System in the Process of Manpower Activities. Am. J. Ind. Bus. Manag., no. 424-431, p. 5, 2015.
[3] Y. Bal, S. Bozkurt, and E. Ertemsir. The Importance of Using Human Resources Information Systems (HRIS) and a Research on Determining the Success of HRIS. Knowledge and Learning: Global Empowerment. Proceedings of the Management, Knowledge and Learning International Conference 2012, pp. 53-62.
[4] J. M. Rodriguez, and J. Venture. Human Resource Management Systems & Organizational Performance: An Analysis of the Spanish Manufacturing Industry. Int. J. Hum. Resour. Manag, vol. 12061226, p. 14, 2013.
[5] I. Troshani, C. Jerram, and S. Rao. Exploring the Public Sector Adoption of HRIS. Ind. Manag. Data Syst., Vol. 470-488, p. 111, 2011.
[6] Jelvino and J. F. Andry. Audit Sistem Informasi Absensi pada PT . Bank Central Asia Tbk menggunakan COBIT 4.1. Jutisi, Vol. 3, pp. 259-268, 2017.
[7] Arifin, Z. Evaluasi Pembelajaran. Bandung: Remaja Rosdakarya.
[8] B. Gupta. Human Resource Information System (HRIS): Important Element of Current Scenario. J. Bus. Manag. Vol. 13, no. 6, pp. 4146, 2013.
[9] R. E. Putri. Penilaian Kapabilitas proses Tata Kelola TI berdasarkan Proses DSS01 Pada Framework COBIT 5. J. CorelT, Vol. 2, no. 1, 2016.
[10] Information System Audit and Control Association (ISACA)" COBIT 5, 2012.
[11] J. F. Andry. Audit of IT Governance Based on COBIT 5 Assessments: A Case Study. J. Teknol. dan Sist. Inf., Vol. 2, no. 2, pp. 27-34, 2016.
[12] A. Pasquini. COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process. Proceedings of FIKUSZ '13 Symposium for young Researchers, 2013, pp. 67-76.
[13] ISACA, COBIT Five: A Business Framework for the Governance and Management of Enterprise IT. 2012.
[14] J. F. Andry and K. Christianto. Audit Menggunakan COBIT 4.1 dan COBIT 5 dengan Case Study. Yogyakarta: Teknosain, 2018.
Johanes Fernandes Andry is a Senior lecturer in Department of Information System, Faculty of Technology and Design, Bunda Mulia University, Jakarta, Indonesia. He received his Master of Computer Science from Budi Luhur University in 2006. His research interests are in the area of Audit, Information System and Software Testing.
He has publish article in 9th International Seminar on Industrial Engineering & Management, Science, and Computer Science Education 2016, 2nd International Conference on Innovative Research Across Disciplines (ICIRAD 2017), and Journal of Theoretical and Applied Information Technology indexed by Scopus with title Improving Quality of SMEs Information System Solution with ISO 9126 and International Journal of Innovative Science and Research Technology with title Conceptual Framework for Successful IT-Governance and BSC for Service Industry and more journal such as journal Teknologi dan Sistem Informasi (TEKNOSI), Jurnal Sistem Informasi Universitas Indonesia, etc
Aziza Chakir is a Senior lecturer in Faculty of Law, Economics and Social Sciences Hassan II University, Casablanca, Morocco. Her research interests are in the area of IT Governance, Architecture and Expert Systems.
