Audit the Implementation of Information Technology Governance in Financial Services Company Using COBIT 4.1 Framework
Dimas Bagus Prasetyo, Lily Wulandari
Abstract— The performance of information technology in company needs to be monitored and evaluated periodically so that all information technology management mechanisms run in accordance with the planning, objectives, and strategic plans set by the company. The purpose of this research is to audit the implementation information technology governance process in BCA Finance and measure maturity level each information technology process using COBIT 4.1. The results of this research show that BCA Finance has gained 3.08 for the average score of all four domains, which means in the defined level. BCA Finance already has standardized procedures, documented and communicated to employee personnel through training but its implementation still depends on individual capability.
Keywords— Audit, COBIT 4.1, Information Technology Governance, Maturity Level.
I. Introduction
The use of information technology continues to provide excellent results in order to support the company's business performance. The use of information technology in the company is useful to enhance competitive advantage, transform services, minimize work processes, and provide more efficient services to customers. Information technologies (IT) have revolutionized the business world irrevocably and in the context of the information age companies increase their IT investments, becoming a major competitive component for companies [1]. The use and utilization of information technology is now a concern in all areas due to high investment value and directly affect the operational activities and business processes. Information technology (IT) performs major roles in organisations, which includes business processes, procedures, innovations and new product development [2]. Devos, Van Landeghem and Deschoolmeester (2011) concluded that because of the vital role that IT has in organisations, IT governance must be adopted to sustain and enable business objectives and to mitigate related risks [3][4]. According to the IT Governance Institute, the overall objective of IT governance
Dimas Bagus Prasetyo is a graduated master from Department of Management Information Systems, Faculty of Technology and Engineering, Gunadarma University, Depok, West Java, Indonesia (email: [email protected]). Lily Wulandari is a Senior Lecturer at Department Management Information Systems, Faculty of Technology and Engineering, Gunadarma University, Depok, West Java, Indonesia.
is to elevate the strategic importance of IT in order to enable the enterprise to sustain its operations and extend activities into the future while mitigating associated risks [5].
IT governance provides the structure that links IT processes, IT resources, and information to enterprise strategies and objectives. IT governance integrates and institutionalises optimal ways of planning and organising, acquiring and implementing, delivering and supporting, and monitoring IT performance [5]. Sanyoto Gondodiyoto (2007) stated that information technology governance is one of the most important part of successful implementation of good corporate governance [6]. Information technology governance is important because it ensures the measurement of the effectiveness and efficiency of improving the company's business processes through the structure associated with information technology toward the company's strategic objectives [5].
Many information technology governance frameworks have been currently developed. Those frameworks are available to manage IT and to assist IT to achieve the business objectives, through governance. One of the most widely used standards of information technology governance today is COBIT. COBIT provides managers, auditors, and IT users with a set of generally accepted steps, indicators, processes and best practices to assist them in maximizing the benefits gained through the use of IT and developing IT governance within a company / organization. COBIT helps meet various management needs by bridging the gap between business risk, control needs, and technical issues [7].
PT BCA Finance, referred to as BCA Finance, was established in 1981 under the name of PT Central Sari Metropolitan Leasing Corporation (CSML). Initially, PT Bank Central Asia and Japan Leasing Corporation were the Company's shareholders. At that time, the Company was focusing its business on commercial finance, such as financing for production machines, heavy equipments, and transportation. There were several changes happened in 2001, such as share ownership change in which PT Bank Central Asia, Tbk became the major shareholders; a change of business focus to four or more wheeled vehicles financing, and followed by name changing from PT Central Sari Metropolitan Leasing Corporation (CSML) to PT Central Sari Finance (CSF) before finally changed its name to PT BCA Finance on March 28th, 2005 [8][9][10].
Along the time, BCA Finance has been gradually developing and growing, as indicated by the number of new
financing distribution and total managed assets that have increased significantly. The company strives to continually improve its market share by implementing an appropriate strategy, expanding new branches, and providing the best customer services. As of December 2016, 64 business networks were recorded on location of 54 cities and 34 provinces across Indonesia. As one of the keys to success that accompanies the rapid growth of the company's business, innovative information technology development continues to be intensified in support of the company's overall service and performance [8][9]. The performance of information technology in BCA Finance needs to be monitored and evaluated periodically so that all IT management mechanisms run in accordance with the planning, objectives, and strategic plans set by the company.
The main purpose of this research is to audit the implementation of IT Governance in BCA Finance using COBIT. The result will be able to be used as the reference by the management in improving the implementation of IT Governance in BCA Finance. The evaluation and improvement of IT governance is extremely important because it allows companies to control if they are really making effective management of their IT, to ensure maximum benefits and management of the associated risks [11].
II. Related Literature and Studies
A. Information Tecnology Governance
The way enterprises govern their Information Technology (IT) is referred to as IT Governance and it has gradually over time become one of the most crucial parts of an enterprise. In order to realize good corporate governance, IT governance is becoming more and more prominent, and is defined as a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes. IT governance is integral to the success of enterprise governance by assuring efficient and effective measurable improvements in related enterprise processes. Furthermore, IT governance integrates and institutionalizes best practices of planning and organising, acquiring and implementing, delivering and supporting, and monitoring IT performance to ensure that the enterprise's information and related technology support its business objectives. IT governance thus enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. IT Governance focuses specifically on information technology systems, their performance and risk management. The primary goals for IT governance are assure that the investments in IT generate business value and mitigate the risks that are associated with IT. This leads to the five main focus areas for IT governance, all driven by stakeholder value. Two of them are outcomes: value delivery and risk management. Three of them are drivers: strategic alignment, resource management (which overlays them all) and performance measurement [5][12]. The following are the explanation of five main focus area for IT Governance:
1. Strategic alignment : Focuses on ensuring the linkage of business and information technology plans.
2. Value delivery : Executing the value proposition throughout the delivery cycle and concentrating on optimising costs and providing the intrinsic value of information technology.
3. Risk management : Addressing the safeguarding of IT assest, disaster recovery and continuity of operations.
4. Resource management : Use and allocate of IT resources.
5. Performance measurement : Tracking project delivery and monitoring IT services.
B. COBIT
Control Objectives for Information and Related Technology (COBIT) is a set of best practices (frameworks) for information technology management created by the Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI) in 1996. COBIT, Control Objectives for Information and Related Technology, is a general standard for IT governance, with the main purpose of defining the organizational processes necessary for IT to meet business objectives. The standard divides the IT operations in 34 processes, ranging from strategy to development, operation and support. It provides recommendations on the elements that should exist within IT processes, how to measure the processes maturity and identify risks. According to COBIT 4.1, the business orientation of COBIT consists in linking business goals to IT goals, providing metrics and maturity models to measure their achievement, as well as identifying the associated responsibilities of business and IT process owners. The framework of COBIT consists of high-level control objectives which are grouped into four main domains such as Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS) and Monitor and Evaluate (ME) [5][13]. The interrelation between those 4 domains are illustrated as Figure 1 which described as:
1. Plan and Organise (PO)— This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives.
2. Acquire and Implement (AI)— This domain is intended to realise the information technology strategy, information technology solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process.
3. Deliver and Support (DS)— This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities.
4. Monitor and Evaluate (ME)— All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance.
The Four Interrelated Domairs of CobiT
Plan and Organise
4—i, X
Deliver and
Support •
Acquire and
Implement «
!
Monitor and Evaluate
Figure 1. The Four Interrelated Domains of COBIT [7]
C. Maturity Model COBIT 4.1
Maturity modelling for management and control over IT processes is based on a method of evaluating the organisation, so it can be rated from a maturity level of nonexistent (0) to optimised (5). The maturity model is a way of measuring how well developed management processes are, i.e., how capable they actually are. How well developed or capable they should be primarily depends on the IT goals and the underlying business needs they support. How much of that capability is actually deployed largely depends on the return an enterprise wants from the investment [5][7][14].
The advantage of a maturity model approach is that it is relatively easy for management to place itself on the scale and appreciate what is involved if improved performance is needed. The scale includes 0 because it is quite possible that no process exists at all. The 0-5 scale is based on a simple maturity scale showing how a process evolves from a nonexistent capability to an optimised capability. To make the results easily usable in management briefings, where they will be presented as a means to support the business case for future plans, a graphical presentation method needs to be provided on Figure 2 [5][7][14].
Initial/ Repeatable Defined Managed and Non-existent Ad Hoc but Intuitive Process Measurable Optimised
LEGEND FOR SYMBOLS USED
Enterprise current status Industry average Enterprise target
LEGEND FOR RANKINGS USED
0—Management processes are net applied at all.
1—Processes are ad hoc and disorganised.
2—Processesfollow a regular pattern.
3—Processes are documented and communicated.
4—Processes are monitored and measnred.
5—Good practices are followed and automated.
theoretical background needed to understand the scope of the study. The research methodology consists several steps and methods are used to audit the implementation of information technology in BCA Finance using COBIT 4.1.
The result of the identification process from COBIT Business Goals to COBIT Objective contains the instruments used in the research questionnaire. The research questionnaire contains a collection of statements related to information technology governance in accordance with the COBIT 4.1 guidelines. The collection of the data was done through interviews, questionnaire, observation, as well as review several literature and written documents. The obtained data from the questionnaire then being analyzed by using the maturity model. The gap analysis was performed by comparing the gap between the current maturity level and the expected maturity level. The improvement recommendations were made based on references from the Information Systems Audit and Control Association (ISACA), the IT Governance Institute (ITGI), and the audit guidelines using COBIT 4.1 [5][7]. Conclusions and suggestions were to summarize the results of research and provide suggestion to the company based on research that has been done [15][16]. The entire process can be seen in Figure 3 which illustrates the following:
Figure 2. Graphical Representation Maturity Model [7]
III. METHODOLOGY A. Research Method
The research method used in the audit of the implementation of IT Governance of this case study consists several steps. The problem collection step started by collecting the data needed to define the background of the problem. The data obtained at the previous step was then analyzed in order to get the main problem. The output of this analysis is the research question that becomes the basis of this research. The review of literature study has provided the
Figure 3. Research Method
B. Data Collection Method
The data collection method according to the COBIT indicator is the information technology performance evaluation process using questionnaires which are strengthened by the method of interviews, observations, and related literature studies [15][17]. The following are the explanation of each of the data collection methods: 1. Interview
Interviews were conducted to obtain a more complete description of the issues studied might not be taken through the questionnaire. Interviews were conducted to
find out the problems related to the process of implementing information technology governance and to determine the maturity levels expected by BCA Finance in the future. Based on the results of interviews with the managers of the IT & Business Process department in BCA Finance, the company targets the expected maturity of BCA Finance is 4.5.
2. Questionnaire
The data collection method uses a questionnaire in this study is in accordance with the guidelines from COBIT 4.1 framework. This method was done by distributing questionnaires to BCA Finance employees from staff to manager level. The questionnaire is intended to get an assessment of the real conditions of information technology governance at BCA Finance.
3. Observation
Observation is a method of data collection that is done by observing directly by looking at and retrieving data needed in the place where the research is conducted. Data collection was carried out at the BCA Finance Office in Jakarta directly, such as seeing how the information system is running. In addition, it is also used to see the description of which parties have an interest in carrying out the expected activities.
4. Literature and Written Documents
The library method and written documentation in this study are studying books, annual reports, and other sources of information related to the topic of discussion to gain an understanding of the subject and object to be studied. In addition, written documents are also needed relating to the implementation of information technology governance monitoring and evaluation in BCA Finance, Jakarta.
IV. Results and Discussions
A. Mapping Business Goals, IT Goals, and IT Process COBIT defines as business objectives related to information technology activities that generally exist in a company. To identify business goals by analyzing the business goals and objectives of the BCA Finance which is later mapped in the COBIT 4.1, by aligning goals and objectives in accordance with the business goals of COBIT 4.1. There are 28 goals and 17 information technology business goals of mapping information technology and business objectives based on COBIT 4.1 standards. Identification of previous business goals results obtained are used as reference to get the relationship with IT goals. COBIT framework also maps the relationship between IT goals with COBIT IT process. Every IT goals can be composed of several related IT process. It was based on the identification that has been made in the business and IT goals and there is found some related information technology processes. The results of IT process of the mapping between IT goals to IT based on COBIT 4.1 process is as shown in Table 1 [7][18].
Table. 1 Mapping IT Process BCA Finance and IT Domain
No. IT Domain IT Process BCA
Finance
1. Plan and Organise (PO) PO1, PO2, PO3, PO4,
PO5, PO6, PO7, PO8, PO9, PO10
2. Acquire and Implement (AI) AI1, AI2, AI3, AI4, AI5, AI6, AI7
3. Deliver and Support (DS) DS1, DS2, DS3, DS4, DS5, DS6, DS7, DS8, DS9, DS10, DS11, DS12, DS12
4. Monitor and Evaluate (ME) ME1, ME2, ME3, ME4
B. Maturity Level Measurement
The result of maturity level measurement of domain plan and organise can be seen in Table 2. Based on the measurement results the highest maturity level obtained by IT Process PO6 - Communicate management aims and direction is 3.23 while the lowest obtained by IT Process PO8 - Manage Quality is 2.79. The average value of the domain Plan and Organise is 3.05. The maturity level of this domain still revolves around the interval scale of 2.51 - 3.50, located at level 3 which means defined. The following explanation for each IT process from PO domain:
1. PO1 - Define a Strategic Plan
The maturity level obtained for IT Process PO1 -
Define a strategic IT plan is 3.17, which means defined.
IT strategic planning at BCA Finance already exists and
follows a structured approach that is documented and
recognized by all employees.
2. PO2 - Define the Information Architecture
The maturity level obtained for IT Process PO2 -Define the information architecture is 2.9, which means defined. It can be concluded that BCA Finance management realizes the importance of the information architecture and responsibility for its delivery is assigned and clearly communicated.
3. PO3 - Determine Technological Direction
The maturity level obtained for IT Process PO3 -Determine technological direction is 2.89, which means defined. BCA Finance management aware of the importance of the technology infrastructure plan. There is a defined, documented and well-communicated technology infrastructure plan, but it is inconsistently applied.
4. PO4 - Define the IT Processes, Organisation and
Relationships
The maturity level obtained for IT Process PO4 -Define the IT process, organisation, and relationships is 3.21, which means defined. IT organisation in BCA Finance is developed, documented, communicated and aligned with the IT strategy. There is formalisation of relationships with other parties, including steering committees, internal audit and vendor management.
5. PO5 - Manage the IT Investment
The maturity level obtained for IT Process PO5 -Manage the IT investment is 2.85, which means defined. It can be concluded that policies and processes for investment and budgeting in BCA Finance are defined, documented and communicated, and cover key business and technology issues.
6. PO6 - Communicate Management Aims and Direction The maturity level obtained for IT Process PO6 -
Communicate management aims and direction is 3.23, which means defined. It can be concluded that a complete
information control and quality management environment is developed, documented and communicated by management and includes a framework for policies, plans and procedures.
7. PO7 - Manage IT Human Resources
The maturity level obtained for IT Process PO7 -Manage IT human resources is 3.17, which means defined. BCA Finance management has a defined and documented process for managing IT human resources. An IT human resources management plan exists and there is a strategic approach to hiring and managing IT personnel.
8. PO8 - Manage Quality
The maturity level obtained for IT Process PO8 -Manage quality is 2.79, which means defined. BCA Finance provides an education and training programme to teach all levels of the organisation about quality. Basic quality expectations are defined and are shared amongst projects and within the IT organisation.
9. PO9 - Assess and Manage IT Risks
The maturity level obtained for IT Process PO9 -Assess and manage IT risks is 3.21, which means defined. BCA Finance provides risk management training to staff member and the methodology for the assessment of risk is convincing and ensures that key risks to the business are identified.
10.POlO - Manage Projects
The maturity level obtained for IT Process PO10 -Manage projects is 3.13, which means defined. IT project management process and methodology in BCA Finance are established and communicated. IT projects are monitored, with defined and updated milestones, schedules, budget and performance measurements.
The result of maturity level measurement of domain Acquire and Implement can be seen in Table 3. Based on the measurement results the highest maturity level obtained by IT Process AI4 - Enable operation and use is 3.19 is while the lowest obtained by IT Process AI6 - Manage Changes is 2.86. The average value of the domain Acquire and Implement is 3.04. The maturity level of this domain still revolves around the interval scale of 2.51 - 3.50, located at level 3 which means defined. The following explanation for each IT process from AI domain: 1. AI1 - Identify Automated Solutions
The maturity level obtained for IT Process AI1 -Identify automated solutions is 2.91, which means defined.
In determining information technology solutions, BCA Finance has used a clear and structured approach. The approach for determining IT solutions is applied for some projects based on factors such as the decisions made by the individual staff members involved and the original business requirement.
2. AI2 - Acquire and Maintain Application Software
The maturity level obtained for IT Process AI2 -Acquire and maintain application software is 3.12, which means defined. In the process of maintaining and developing software applications, BCA Finance has used a clear process and is generally understood by all internal IT departments.
3. AI3 - Acquire and Maintain Technology Infrastructure
The maturity level obtained for IT Process AI3 -
Acquire and maintain technology infrastructure is 3.18, which means defined. In the process of maintaining and developing technological infrastructure, BCA Finance has established a clear and well-understood procedure by internal IT departments.
4. AI4 - Enable Operation and Use
The maturity level obtained for IT Process AI4 -Enable operation and use is 3.19, which means defined. BCA Finance has established a clearly defined, accepted and understood framework for user documentation, operating manuals and training materials.
5. AI5 - Procure IT Resources
The maturity level obtained for IT Process AI5 -Procure IT resources is 2.87, which means defined. Information technology management at BCA Finance has established policies and procedures for information technology acquisition. Policies and procedures are guided by the overall procurement process of the company.
6. AI6 - Manage Changes
The maturity level obtained for IT Process AI6 -Manage changes is 2.86, which means defined. BCA Finance has defined a formal change management process, including categorization, priority, emergency procedures, authorization changes and release management.
7. AI7 - Install and Accredit Solutions and Change
The maturity level obtained for IT Process AI7 - Install and accredit solutions and change is 3.18, which means defined. BCA Finance already has a formal methodology relating to installation, migration, conversion of information technology. The installation and process of information technology accreditation is integrated into the system life cycle to some extent.
Table. 2 Domain Plan and Organise (PO)
IT Process Maturity
Process Level
PO1 Define a strategic plan 3.17
PO2 Define the information architecture 2.90
PO3 Determine technological direction 2.89
PO4 Define the IT processes, organisation, and relationships 3.21
PO5 Manage the IT investment 2.85
PO6 Communicate management aims and direction 3.23
PO7 Manage IT human resources 3.17
PO8 Manage quality 2.79
PO9 Assess and manage IT risks 3.21
PO10 Manage projects 3.13
Average 3.05
Table. 3 Domain Acquire and Implement (AI)
IT Process Maturity
Process Level
AI1 Identify automated solutions 2.91
AI2 Acquire and maintain application software 3.12
AI3 Acquire and maintain technology infrastructure 3.18
AI4 Enable operation and use 3.19
AI5 Procure IT resources 2.87
AI6 Manage changes 2.86
AI7 Install and accredit solutions and change 3.18
Average 3.04
The result of maturity level measurement of domain Delivery and Support can be seen in Table 4. Based on the measurement results the highest maturity level obtained by IT Process DS11 - Manage data is 3.28 is while the lowest obtained by IT Process DS13 - Manage operations is 2.88. The average value of the domain Delivery and Support is 3.13. The maturity level of this domain still revolves around the interval scale of 2.51 - 3.50, located at level 3 which means defined. The following explanation for each IT process from DS domain:
1. DS1 - Define and Manage Service Levels
The maturity level obtained for IT Process DS1 -Define and manage service levels is 3.22, which means defined. The service and level of service provided by BCA Finance has been defined, documented and approved using standard processes. The company also continues to develop Service Level Agreement (SLA) in order to reassess the service level and customer satisfaction.
2. DS2 - Manage Third-Party Services
The maturity level obtained for IT Process DS2 -Manage third-party services is 3.21, which means defined. BCA Finance already has a documented procedure applied to manage third party services, with a clear process for checking and negotiating with vendors.
3. DS3 - Manage Performance and Capacity
The maturity level obtained for IT Process DS3 -Manage performance and capacity is 3.21, which means defined. BCA Finance has defined performance and capacity requirements throughout the system life cycle. Companies have defined service level requirements and metrics that can be used to measure operational performance.
4. DS4 - Ensure Continuous Service
The maturity level obtained for IT Process DS4 -Ensure continuous service is 3.19, which means defined. This indicates that responsibility for the planning and testing of sustainable services at BCA Finance has been clearly established and assigned.
5. DS5 - Ensure Systems Security
The maturity level obtained for IT Process DS5 -Ensure systems security is 3.22, which means defined. This indicates that information technology management at BCA Finance has established information technology security procedures to be aligned with company policy.
6. DS6 - Identify and Allocate Costs
The maturity level obtained for IT Process DS6 -Identify and allocate costs is 3.19, which means defined. This indicates that BCA Finance already has a defined and documented cost information service model. The allocation of enterprise information technology costs tailored to business needs and their implementation is monitored to conform to the planned.
7. DS7 - Educate and Train Users
The maturity level obtained for IT Process DS7 -Educate and train users is 3.17, which means defined. BCA Finance has already planned, standardized and communicated training and education programs. Budgets, resources, facilities and trainers are determined to support training and education programs.
8. DS8 - Manage Service Desks and Incidents
The maturity level obtained for IT Process DS8 -Manage service desks and incidents is 3.05, which means defined. Incident management procedures at BCA Finance have been standardized and documented, and informal
training is left to the individual to gain an understanding of the incident management processes that follow the standards.
9. DS9 - Manage the Configurations
The maturity level obtained for IT Process DS9 -Manage the configuration is 2.89, which means defined. BCA Finance already has procedures and working practices documented, standardized and communicated, but the training and implementation of standards are still based on individual capabilities.
10.DS10 - Manage Problems
The maturity level obtained for IT Process DS10 -Manage problems is 2.92, which means defined. The need for problem management at BCA Finance is effectively integrated and has management support, and management provides budget for employee training The solutions to escalation problems and processes at BCA Finance have been standardized, but the incident management and problem identification analysis are limited and informal.
11.DS11 - Manage Data
The maturity level obtained for IT Process IT Process DS11 - Manage data is 3.28, which means defined. The data management procedures are formalized, and some tools for backup / restoration and disposal of equipment are used. Formal training related to data management has also been provided by management.
12.DS12 - Manage the Physical Environment
The maturity level obtained for IT Process DS12 -Manage the physical environment is 3.21, which means defined. This indicates that the need to maintain a computing environment is controlled and understood by the company. Environmental control, preventive maintenance and physical security becoming budget items that are approved and tracked by management.
13.DS13 - Manage Operations
The maturity level obtained for IT Process DS13 -Manage operations is 2.88, which means defined. BCA Finance already has a formal, standardized, and documented procedure that becomes the reference for operational management of information technology. Formal policies are developed by management to reduce the number of unscheduled events.
Monitor and Evaluate can be seen in Table 5. Based on the
Table. 4 Domain Deliver and Support (DS)
IT Process Maturity
Process Level
DS1 Define and manage service levels 3.22
DS2 Manage third-party services 3.21
DS3 Manage performance and capacity 3.21
DS4 Ensure continuous service 3.19
DS5 Ensure systems security 3.22
DS6 Identify and allocate costs 3.19
DS7 Educate and train users 3.17
DS8 Manage service desks and incidents 3.05
DS9 Manage the configuration 2.89
DS10 Manage problems 2.92
DS11 Manage data 3.28
DS12 Manage the physical environment 3.21
DS13 Manage operations 2.88
Average 3.13
The result of maturity level measurement of domain
measurement results the highest maturity level obtained by IT Process ME1 - Monitor and evaluate IT performance is 3.16 while the lowest obtained by IT Process ME4 - Provide IT governance is 3.01. The average value of the domain Monitor and Evaluate is 3.11. The maturity level of this domain still revolves around the interval scale of 2.51 - 3.50, located at level 3 which means defined. The following explanation for each IT process from ME domain:
1. ME1 - Monitor and Evaluate IT Performance
The maturity level obtained for IT Process ME1 -Monitor and evaluate IT performance is 3.16, which means defined. BCA Finance has established a role and responsibility within the process of monitoring and overseeing the performance of information technology. On the other hand, the company has provided training programs for employees related to the monitoring and supervision process on information technology performance.
2. ME2 - Monitor and Evaluate Internal Control
The maturity level obtained for IT Process ME2 -Monitor and evaluate internal control is 3.15, which means defined. This indicates that management supports institutional monitoring and internal control. Policies and procedures are also developed to assess and report on internal monitoring and control activities. Education and training programs for internal control monitoring are defined.
3. ME3 - Ensure Compliance with External Requirements
The maturity level obtained for IT Process ME3 -
Ensure compliance with external requirements is 3.11, which means defined. This shows that policies, plans and procedures are developed, documented and communicated to ensure compliance with contractual and legal rules and obligations, but some may not always be followed or impractical to implement.
4. ME4 - Provide IT Governance
The maturity level obtained for IT Process ME4 -Provide IT Governance is 3.01, which means defined. BCA Finance's information technology management understands well the importance of information technology governance needs to support the company's operations, but management has not yet implemented the information technology governance process as part of the management.
Table. 5 Domain Monitor and Evaluate (ME)
C. Gap Analysis
The gap analysis of information technology governance aims to provide ease of improvement of information technology governance through maturity level attribute information about which processes have gaps and require improved IT governance of enterprise management. In step analysis of gap maturity level of information technology governance, the method used is by comparing the expected
maturity level of information technology governance with the current maturity level of information technology governance
The visualization of radar chart of comparison between current maturity with expected maturity of 34 IT Process used in this research can be seen in Figure 4. Based on the results of interviews with the manager of the IT & Business Process department in BCA Finance, the company targets the expected maturity of BCA Finance is 4,5. The chart shows that the overall IT Process in BCA Finance has not reached the expected results, so recommendations for improvement are proposed to improve the achievement of the current maturity level.
Maturity and Expected Maturity
D. Recommendations for Improvement
Based on the audit results, the recommendations are proposed to improve the IT Governance in BCA Finance. Some of those priority recommendations are:
1. Establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with IT plans. The model should facilitate the optimal creation, use and sharing of information by the business in a way that maintains integrity and is flexible, functional, cost-effective, timely, secure and resilient to failure.
2. Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfolios of ITenabled investments, business cases and IT budgets.
3. Identify, document and analyse risks associated with the business requirements and solution design as part of the organisation's process for the development of requirements.
4. Develop and follow a set of procedures and standards that is consistent with the business organisation's overall procurement process and acquisition strategy to acquire IT-related infrastructure, facilities, hardware, software and services needed by the business.
5. Implement processes to report and classify problems that have been identified as part of incident management. The steps involved in problem classification are similar to the steps in classifying incidents; they are to determine category, impact, urgency and priority.
6. Define, establish and align the IT governance framework with the overall enterprise governance and control environment. Confirm that the IT governance framework ensures compliance with laws and regulations
IT Process Process Maturity Level
ME1 Monitor and evaluate IT performance 3.16
ME2 Monitor and evaluate internal control 3.15
ME3 Ensure compliance with external requirements 3.11
ME4 Provide IT governance 3.01
Average 3.11
and is aligned with, and confirms delivery of, the company's strategies and objectives.
V. Conclusion
Based on the audit and analysis of the maturity level of the implementation of information technology governance at BCA Finance, the results of mapping BCA Finance business objectives with COBIT 4.1 Business Goals, there are 34 IT Prosess and 210 detailed control objectives that can be applied in the audit process of information technology governance implementation at BCA Finance. The highest level of maturity is obtained by the DS domain with value 3.13 and the lowest maturity level is obtained by AI domain with value 3.04. Both PO and ME domains are 3.05 and 3.11. The maturity level measurement results show that the application of information technology governance process at BCA Finance is at an average level of 3.08. The achievement of the maturity level of BCA Finance has exceeded international standards that are on a scale of 2.5 and have reached defined level which means that BCA Finance already has standardized, documented and communicated procedures to employees through training but its implementation still depends on individual capabilities and procedures this is not applied consistently. Along with the gap between the current maturity level of BCA Finance and the expected maturity levels, recommendations for improvement are proposed to improve future BCA Finance maturity levels. This recommendation can be used as a reference to improve the process of implementing information technology governance at BCA Finance.
References
[1] Dehning, B., Dow, K., Stratopoulos, T., "Information Technology Organizational Slack," International Journal of Accounting Information Systems, 2004, 5 (1), pp. 51 - 63.
[2] Chan, S.L., "Information Technology in Business Processes," Journal of Business Process Management, 2000, 6 (3), pp. 224 - 237.
[3] Devos, J., Van Landeghem, H., & Deschoolmeester, D., "Rethinking IT Governance for SMEs," Industrial Management & Data Systems, 112(2), pp. 206-223.
[4] Batyashe, T., Iyamu T., "IT Governance: An Architectural Framework Based on Consolidated Best Practices," Journal of Governance and Regulation, 2016, 5 (1), pp. 7 - 15.
[5] IT Governance Institute, "COBIT 3rd Edition Audit Guidelines, Information Systems Audit and Control Foundation," IT Governance Institute, USA, 2000.
[6] Gondodiyoto, S., "Audit Sistem Informasi: Pendekatan Cobit," Mitra Wacana Media, Jakarta, 2007.
[7] IT Governance Institute, "COBIT 4.1 Framework, Control Objectives, Management Guidelines, Maturity Models," IT Governance Institute, 2007.
[8] BCA Finance, "Annual Report BCA Finance 2015," PT BCA Finance, Jakarta, 2015.
[9] BCA Finance, "Annual Report BCA Finance 2016," PT BCA Finance, Jakarta, 2016.
[10] BCA Finance, "Annual Report BCA Finance 2017," PT BCA Finance, Jakarta, 2017.
[11] Lorences, P. P., Avila, L. F. G., "The Evaluation and Improvement of IT Governance," Journal of Systems and Technology Management, 2013, 10 (2), pp. 219 - 234.
[12] Castillo, F., Stanojevic, P., "An Assessment of the IT Governance maturity at ASL," Master's thesis, Royal Institute of Technology Stockholm, 2011.
[13] Sadikin, M., Hardi, H., and Haji, W., "IT Governance Self Assessment in Higher Education Based on COBIT Case Study: University of Mercubuana," Journal of Advanced Management Science, 2014, 2 (2), pp. 219 - 234.
[14] Pederiva, A., "The COBIT Maturity Model in a Vendor Evaluation Case," Informations Control Journal, 2003, 3, pp. 133 - 152.
[15] Riadi, F., "Pengukuran Tingkat Kematangan Proses Tata Kelola Teknologi Informasi dengan Menggunakan COBIT 4.1 Maturity Model: Studi Kasus Dinas Pendidikan DKI Jakarta," Master's thesis, University of Indonesia, 2013.
[16] Servanda, M. S., "Pengukuran Tingkat Kematangan Proses Tata Kelola Teknologi Informasi dengan Menggunakan COBIT 4.1 Maturity Model: Studi Kasus Dinas Pendidikan DKI Jakarta," Master's thesis, Gunadarma University, 2016.
[17] Suta, I. B. L. M., Mahendra, I. G. N. A. S., and Sudarma, M., "Application of Cobit 5 for Hospital Services Management Information System Audit," International Journal of Engineering and Emerging Technology, 2018, 3, pp. 18 - 23.
[18] Krisanthi, G. A. T., Sukarsa, I. M., and Bayupati, I. P. A., "Governance Audit of Application Procurement Using COBIT Framework," Journal of Theoretical and Applied Information Technology, Volume (59), No 2, pp. 342-351.
Dimas Bagus Prasetyo was born in Jakarta, Indonesia, August 17th 1993. He holds a Bachelor degree in Informatics from Gunadarma University, Depok, Indonesia. He continued his education to join in Master Programme in the same university and graduated in 2018. His research interests are IT Governance, IT Audit, and Location Based Service.
He has published information technology articles on International Symposium and International Conference: "Car Problem Diagnosis Using Rule-Based Expert System" (May, 3rd 2017, International Symposium on Business, Management, and Technologies) and "Implementation of Combination Scytale, Jefferson, and Fence Cipher Algorithm to Prevent Digital Certificate Counterfeiting" (March, 5th 2018, International Conference on Human Capital in Cyber Security & Digital Forensics).