EVALUATION AND RECOMMENDATION IT GOVERNANCE BASED ON COBIT 5 FRAMEWORK IN HARRIS VERTU HARMONI HOTEL Текст научной статьи по специальности «Экономика и бизнес»

Evaluation and Recommendation IT Governance Based on COBIT 5 Framework in Harris Vertu Harmoni Hotel

Devi Yurisca Bernanda, Michelle Angelia

Abstract— Harris Vertu Harmoni is a high-end hotel that specifically accommodates the needs of business guests and more modern tourist destinations and adapts to a dynamic lifestyle that offers a unique experience with lifestyle concepts and high-end technology which one of the main supporters in business processes and operational activities. The hotel has a Vertu Personal Assistant application that is useful for supporting operational activities in the hotel to help guests find hotel information and make digital requests. The purpose of the VPA application audit is to provide benefits for hotels and ensure that the hotel objectives are achieved optimally and aims to get the maximum results from the application of a proper information system and can support the hotel goals. In this research, the capability model will be used in the COBIT 5 framework to measure the level of capability in each process and will be focused on using one of the COBIT 5 domains, namely evaluation, direction, and monitoring which has 5 processes, namely EDM01 has a capability level process reaching level 3 with a level expected 3, EDM02 has a level of process capability reaching a level of 2.6 with the expected level is 3, EDM03 has a level of process capability reaching level 2 with an expected level of 3, EDM04 has a level of process capability reaching a level of 2.6 with the expected level is 3 and EDM05 has a capability level process reaching the level of 2.6 with the expected level is 3. Based on the results of the analysis carried out in this study, the authors conclude that the Harris Vertu Harmoni hotel has a governance framework management and maintenance process, a value optimization process, optimization risk, optimization of sources and stakeholder transparency are passable.

Keywords—Audit, Information System, COBIT 5, Evaluate, Direct and Monitor.

I. Introduction

The progress of technology, especially in information technology so many companies adopt information system as an essential part of contunity the company operations without exceptions Harris Vertu Harmoni hotel [1]. The application and use of information technology will be beneficial if it is in accordance with the objectives, vision and mission of the company which have been translated into business strategies and information technology strategies.

D.Y. Bernanda is Lecturer in Department of Information Systems, Faculty of Technology and Design, University of Bunda Mulia, North Jakarta, 114430, Indonesia (e-mail: dbernanda@bundamulia.ac.id).

Michelle Angelia is student in Department of Information Systems, Faculty of Technology and Design, University of Bunda Mulia (e-mail: michelleangelia198@gmail.com).

Alignment between information technology strategy and business strategy will provide added value in the form of competitive advantage in business competition [2]. However, the use of information technology (IT) is sometimes not as expected, where the bigger IT investment is not followed by greater support for the achievement of organizational goals and strategies. Therefore, an integrated and structured information technology governance is needed starting from the design process to the monitoring process to ensure that IT can support the achievement of organizational goals [3]. IT governance is the process by which the objectives of the entity that have an impact on information technology are agreed, directed and controlled. The main objective of IT governance is to reduce risk and ensure that investment in IT resources adds value to the company [4]. Harris Vertu Harmoni is an upscale hotel [5], which specially for guest accommodate the needs of business and tourist destinations the more modern and adapt to a dynamic lifestyle which offers unique experience with lifestyle concept and high-end technology which one of the major of support in business processes and operational activities in hotel is vertu personal assistant application useful for support operational activities in hotel to helping guests finding information hotels and make digital requests, it was aimed at getting the maximum results from proper information system implementation and can support the goals of the hotel. Therefore, by conducting an audit of this VPA application, it can ensure regulation and maintenance of the governance framework, optimize value, optimize risk management, optimize resources and ensure transparency of stakeholders so as to provide benefits to hotels and ensure that destination hotels are optimally achieved and can help provide input or recommendations for future improvements. In this study, the authors use the COBIT 5 framework to help companies create optimal value from IT with a balance between realizing benefits and increasing the level of risk and use of resources. And the scope of this study focuses on application auditing with the COBIT 5 framework which uses the Evaluate, Direct and Monitor (EDM) domain to assess overall governance.

The purpose of the research and the making of this research based on the problems described are as follows:

1. Find out the extent of the use of the Vertu Personal Assistant (VPA) application at Harris Vertu Harmoni hotel.

2. Knowing the capability level at Harris Vertu Harmoni

hotels based on the EDM domain (Evaluate, Direct, and Monitor).

3. Providing recommendations for improving the information technology governance of the Harris Vertu Harmoni hotel. In conducting this research, the model used is the COBIT framework, the version used is COB IT 5. In COB IT 5 there is a capability model, which is a model used in the assessment of the capability level. COBIT 5 has five domains and the choice of domains is done because companies want to focus on domains that can overcome the problems that occur and also as the problem boundaries of the research.

The choice of domain in this study aims to focus more on stating the level of capability and providing recommendations based on the research results. The domain to be studied is EDM (Evaluate, Direct and Monitor) in the area of governance. This study uses all sub-domains or processes of EDM, namely EDM01, EDM02, EDM03, EDM04, and EDM05. Followings the purpose of the sub domain used:

1. The EDM01 Ensure Governance Framework Setting and Maintenance process is used to ensure the management and maintenance of the IT governance framework used by the hotel. The use of IT is very important in increasing profits, IT governance is needed so that IT use can run effectively and efficiently.

2. The EDM02 Ensure Benefits Delivery process is used to optimize the hotel business value contribution. Value optimization can improve business processes, services and IT assets.

3. The EDM03 Ensure Risk Optimization process is used to optimize risk management. Risk management is used to minimize risks that may occur, avoid or prevent losses and increase profits for the hotel.

4. EDM04 Ensure Resource Optimization process is used to optimize resource requirements. With the optimization of resources (human, process and technology) supports hotel goals at optimal costs and provides preparation for future changes.

5. The EDM05 Ensure Stakeholder Transparency process is used to ensure measurement of IT performance and ensure transparent communication and reporting to stakeholders. Effective and timely communication and reporting basis to stakeholders is essential for improving performance, improvement and IT goals and strategies in accordance with hotel strategy.

II. Related Literatur and Studies A. COBIT 5

COBIT 5 is the only framework for IT governance and management. COBIT 5 combines the latest thinking in enterprise stewardship and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trustworthiness and value of information systems. With COBIT 5, we build and

expand COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA's Val IT and Risk IT, Information Technology Infrastructure Library (ITIL®) and standards related to the International Organization for Standardization (ISO) [6].

The COBIT 5 framework is built on five basic principles, which are covered in detail, and include extensive guidance on enablers for corporate IT governance and management. The COBIT 5 process reference model divides the company's IT processes into two main areas. The governance and management activities are divided into process domains [7]:

1. Governance

This domain contains five governance processes; within each process, evaluation, directing, and monitoring (EDM) practices are defined.

2. Management

This area contains four domains that correspond to the areas of responsibility for planning, building, operating and monitoring (PBRM), and they provide end-to-end IT coverage. Each domain contains a number of processes, as in COBIT 4.1 and earlier versions. Although most processes require 'planning', 'development', 'walking' and 'monitoring' activities in the process or in the specific problem that is being addressed, for example, quality, their safety is placed in the domain according to what are generally the most relevant areas of activity when it comes to IT at the enterprise level.

Processes ' iGovernance of Enterprise IT

(•■!..■*> Dnccl*id Maniai

Figure 1. Process Reference Model [8]

In Fig. 1, COBIT 5 consists of 37 High Level Control Objectives which are divided into 2 types, namely governance and management which are then divided into 5 domains, as follows [6]: 1. Governance

Governance ensures that the needs of stakeholders are met, conditions and options have been evaluated to determine balanced and achievable company goals, regulate the direction of the company through priorities and decision making, monitor performance and compliance with agreed directions and goals.

Governance has 1 domain, namely Evaluate, Direct and Monitor (EDM), the following are the details:

1. EDM01: Ensure Governance Framework Settings and Maintenance.

2. EDM02: Ensure Benefits Delivery.

3. EDM03: Ensure Risk Optimization.

4. EDM04: Ensure Resource Optimization.

5. EDM05: Ensure Stakeholders Transparency. 2. Management (Management)

Manage plans, build, implement and monitor activities in alignment with governance. Management has 4 domains, namely Align, Plan and Organize (APO), Build, Acquire and Implement (BAI), Deliver, Service and Support (DSS) and Monitor, Evaluate and Assess (MEA). Here are the details:

1. Align, Plan and Organize (APO) this domain consists of 13 processes.

1. APOOl: Manage the IT Management Framework

2. APO02: Manage Strategy

3. APO03: Manage Enterprise Architecture

4. APO04: Manage Innovation

5. APO05: Manage Portfolio

6. APO06: Manage Budget and Costs

7. APO07: Manage Human Resources

8. APO08: Manage Relationships

9. APO09: Manage Service Agreements

10. APO10: Manage Suppliers

11. APO11: Manage Quality

12. APO12: Manage Risk

13. APO13: Manage Security

2. Build, Acquire and Implement (BAI) this domain consists of 10 processes.

1. BAI01: Manage Programs and Projects

2. BAI02: Manage Requirements Definition

3. BAI03: Manage Solutions Identification and Build

4. BAI04: Manage Availability and Capacity

5. BAI05: Manage Organizational Change Enablement

6. BAI06: Manage Changes

7. BAI07: Manage Change Acceptance and Transitioning

8. BAI08: Manage Knowledge

9. BAI09: Manage Assets

10. BAI10: Manage configuration

3. Deliver, Service and Support (DSS) this domain consists of 6 processes.

1. DSS01: Manage Operations

2. DSS02: Manage Service Requests and Incidents

3. DSS03: Manage Problems

4. DSS04: Manage Continuity

5. DSS05: Manage Security Services

6. DSS06: Manage Business Process Controls

4. Monitor, Evaluate and Assess (MEA) consists of 3 processes.

1. MEA01: Monitor, Evaluate and Assess Performance and Conformance

2. MEA02: Monitor, Evaluate and Assess the System of Internal Control

3. MEA03: Monitor, Evaluate and Assess Compliance with External Requirements

B. Process Capability Model

Process capability is a characteristic of the ability of a process to achieve current or current business goals to come. A process capability assessment is carried out to identify a certain level of process capability and then determine the next steps to make improvements to that process capability. Capability measurement will be based on process attributes (PA). Each attribute defines a certain aspect of process capability [6].

The combination of achieving these process attributes will determine the level of process capability. Capability level at COBIT 5 is as shown in Fig. 2.

Th* proem n CWflmoOtniy rrçfirvtd ro m*rî r< cuffffH tnd pfoptTKl tato» foWt

Levels Optimizing process

IP* St PfKaM InAMMMil Iflfflwtf

Mil

Th* (xixrti n enMtnJ convnUnOy ««Ithin dtfirwd Imwtv

fnibiMud

A drfuvrf piüce« inned tuyrd tm » vtjndjid proem

Level 4 Predictable process

IM 41 PrKtU mtmnmtflt ♦rtrlwto M4Ï PmiHconhlAiMi

Level3 Established process

Mil dtptoyiMftt ittribut*

Level 2 Managed process

Mil Cwtoflwe* iMfljgwwn «Mbu» MÎ1 Wort product mm^nnvn ittntHjH

îh» prom» » nwiQed w<1t product* ac nuMntwd. (ontroVfd «nd <n*irt*r*d

Level 1 Performed process

Tht pror*** rt impiwwiltd «tmn O purpmr

LerelO IncompHilsimocks | ti»^;,™*^.™««^,»

KNMbpNrpOM.

Figure 2.Capability Level at COBIT 5 [9]

In Fig. 2, the level of process capability used in process assessment consists of six levels, as follows:

1. Level 0: Incomplete Process, the process is not implemented or fails to achieve process objectives. There is little or no evidence of systematic achieving process goals.

2. Level 1: Performed Process, namely the implementation of the process of achieving goals. The process attribute that reflects the achievement of this level is PA1.1 Process Performance.

a. PA 1.1 measures the extent to which process objectives are achieved. The results of achieving this attribute are reflected in every expected output production process.

3. Level 2: Managed Process, namely the process at level 1 is implemented into a process arrangement (planned, monitored, and evaluated) and the work results of the process are defined, controlled and maintained appropriately. The attributes at this level are:

a. PA 2.1 Performance Management: measure the extent the implementation of the process is regulated.

b. PA 2.2 Product Management Work: measuring the extent work products are produced by well-regulated processes.

4. Level 3: Defined Process, namely the process at level 2 which is carried out using the specified process and is able to achieve the result of the process. The attributes at this level are:

a. PA 3.1 Process Definition: measures the level of the process defined to support the implementation of the process.

b. PA 3.2 Process Applications: measures the extent to which process standards are effectively applied.

5. Level 4: Predictable Process, namely a process at level 3 that is executed with defined limits to achieve the result of the process. The attributes at

this level are:

a.

PA 4.1 Process Measurement: measures the extent of results measures used to ensure the implementation of processes can support the achievement of organizational goals.

b. PA 4.2 Process Control: measures the extent to which a process is regulated quantitatively to produce a stable and capable process predicted according to the specified limits.

6. Level 5: Optimizing Process, namely the process at level 4 to be continuously improved to meet current and future organizational goals. The attributes at this level are:

a. PA 5.1 Innovation Process: measuring the rate of change processes identified from process implementation and from approach innovation to process execution.

b. PA 5.2 Process Optimization: measuring the rate of change defined, manage the implementation of processes effectively for support the achievement of process improvement goals.

The scale used to assess process attributes is:

1. N: Not Achieved (0 to 15%)

There is little or no evidence of attaining the attributes of the process being assessed.

2. P: Partially Achieved (> 15% to 50%)

There is some evidence of the approach and some of the attainments of the assessed process attributes. Some aspects of attribute attainment may be unpredictable.

3. L: Largely Achieved (> 50% to 85%)

There is evidence of a systematic approach and significant achievement of the process attributes assessed. Some of the weaknesses regarding this attribute may exist in the process being assessed.

4. F: Fully Achieved (> 85% up to 100%)

There is complete evidence and a systematic approach and full attainment of the process attributes assessed. There are no weaknesses related to the attributes contained in the assessed process.

The following is Fig. 3 which shows the scale used in each process attribute in the assessment of the capability level.

In Fig. 3, capability level assessment at COB IT 5 is as follows [10]:

level 5 - Optimizing

Level 4 - Predictable

Level 3 - Established

Level 2 - Managed

Level 1 - Performed

Level 0 ■ Incomplete

UF = Largely W Fu»y F= Fu%

1.

2.

3.

4.

To achieve capability level 1 requires attribute PA 1.1 to be fully achieved or most of it is achieved. To reach level 2 requires PA 2.1 and PA 2.2 for fully achieved or most achieved (largely achieved) and PA 1.1 is achieved fully (fully achieved). To reach level 3 requires PA 3.1 and PA 3.2 for fully achieved or most (largely achieved) achieved and PA 1.1, PA 2.1, and PA 2.2 fully achieved (fully achieved).

And so on for capability levels 4 and 5.

III. Methods

a.

b.

1 2 3 * 5

PA 5 2 Optimization L

RA 5.1 Innovation F

№4 2 Control L 1 F F

PA 4 1 Measurement

PA 32 Deployment L F F

PA 3.1 Defimton F

PA 2.2 Worft product management L F F F

PA 2.1 Performance management F

PA 1 1 Process performance L 1 F F F F F

Figure 3. Research Methodology [11] This research was conducted by conducting literature studies, initial surveys, collecting survey data, studying the object of research. The author will explain the method of this research is illustrated in Fig. 3 Research Methodology.

Conduct literature studies on related theories such as information systems auditing, COBIT 5 and determine the domains to be used. Conduct an initial survey to the object of research to explain the purpose of the study, see the conditions and data needs. In addition, at this stage the making of interview questions was also carried out.

Performing the required data collection and observation.

Undertake additional literature studies as needed. Analyze the interview results obtained and calculate each domain using the COBIT 5 capability level. Produce reports in the form of audit results and recommendations on the Harris Vertu Harmoni hotel.

c.

d.

e.

Figure 3. Process Attribute Ratings and Capability

Levels [9]

IV. Results and Analysis

This section will discuss and explain the analysis carried out based on the research methodology that has been carried out. The researcher will discuss the results of the selected domain audit, namely EDM01, EDM02, EDM03, EDM04, and

EDM05. And from these results, recommendations will be given based on the existing gap between the current level and the expected level.

4.1 EDM01 Ensure Governance Framework Setting

and Maintenance EDM01 is a domain that is in the area of governance, this domain serves to provide an integrated consistent approach and in line with the corporate governance approach. To ensure that IT-related decisions are made according to the hotel's strategy and goals, ensure that IT-related processes are monitored effectively and transparently, and that governance requirements for board members are met.

In this process, there are 3 sub-domains, as follows:

1. EDM01.01 Evaluate the Governance System,

2. EDM01.02 Direct the Governance System, and

3. EDM01.03 Monitor the Governance System.

4.1.1 EDM01.01 Evaluate the Governance System This process aims to continuously identify and engage with corporate stakeholders, document understanding of requirements and make assessments of current and future IT corporate governance designs.

Based on the results of the audit findings obtained in the sub-domain EDM01.01 Evaluate the Governance System reaches the capability level 3 established process. There is an analysis to identify internal and external factors that can influence governance design, determine the importance of IT and its role in business, determine consideration of external regulations in hotel IT governance, guide the information use process, determine organizational control with IT, cultural understanding of decision-making optimal in IT, and the determination of the level according to the authority of the delegation, including the rules in IT. The recommendation for sub-domain EDM01.01 is to establish and apply role models in governance.

4.1.2 EDM01.02 Direct the Governance System

This process aims to inform leaders and gain their support, purchase and commitment. Guide IT governance structures, processes and practices according to agreed governance design principles, decision-making models and levels of authority. Determine the information needed for correct decision making.

Based on the results of the audit findings obtained in the sub-domain EDM01.02 Direct the Governance System reached the capability level 3 established process. There is communication of IT governance principles to management, making the governance structure based on the approved design, allocating responsibilities and authorities in the approved governance design, ensuring that communications and reports produce the information needed, and ensuring staff follow and know the rules and the risks.

The recommendation for sub-domain EDM01.02 is creating and implementing a reward system for staff so that they can doing their job so as to provide the best results.

4.1.3 EDM01.03 Monitor the Governance System

This process aims to monitor the effectiveness and performance of IT corporate governance. Assesses the systems and mechanisms implemented operating effectively and provides appropriate oversight of IT. Based on the result of the audit findings obtained in the sub-domain EDM01.03 Monitor the Governance System reaches a capability level of 3 established process. Measuring the performance of authorized stakeholders, measuring periodically to assess the effectiveness of IT governance, measuring the effectiveness of governance design, monitoring to find out that IT has met the prevailing regulations and policies, monitoring the effectiveness and compliance of the hotel's control system, and conduct regular supervision to find out that the use of IT is in accordance with the prevailing regulations. The recommendation for this sub-domain EDM01.03 is to maintain the performance that has been done and undertake development.

4.1.4 Capability Levels of EDM01 Ensure Governance

Framework Setting and Maintenance From the audit findings on the sub-processes of the domain EDM01, the following in table 1 show the results of the capability level analysis in the domain EDM01.

Table 1. Capability Level Domain EDM01

Sub-Domain Current Expected

EDM01.01 3 3

EDM01.02 3 3

EDM01.03 3 3

Average 3

4.2 EDM02 Ensure Benefits Delivery EDM02 is a domain that is in the area of governance, this domain serves to secure optimal value from IT-supported initiatives, services and assets, cost-effective delivery of solutions and services, as well as a reliable and accurate description of costs and benefits so that business needs are effectively supported and efficient. In this process, there are 3 sub-domains, as follows:

1. EDM02.01 Evaluate Value Optimisation

2. EDM02.02 Direct Value Optimisation

3. EDM02.03 Monitor Value Optimisation 4.2.1 EDM02.01 Evaluate Value Optimisation

This process aims to evaluate the investment portfolio, IT services and assets, to determine the achievement of hotel goals and provide value at a reasonable cost. Identify and make decisions on any change in direction that needs to be assigned to management to optimize value creation.

Based on the results of the audit findings obtained in the sub-domain EDM02.01 Evaluate Value Optimization reaches the capability level 3 established process. Understanding the needs of stakeholders in IT, identifying key elements for providing effective IT services, having regular understanding and discussion of technology developments adopted can provide benefits, having an understanding of the value in the organization, evaluating to assess the effectiveness of

hotel strategy with alignment with IT integration, evaluating to assess the effectiveness of roles and responsibilities in ensuring value creation from IT, service and asset investments, assess IT investment management, services and assets in line with organizational management and financial management, and evaluate IT investments, services and assets according to hotel objectives.

The recommendation for this sub-domain EDM02.01 is to maintain the performance that has been done and undertake development.

4.2.2 EDM02.02 Direct Value Optimisation

This process aims to guide the principles and practices to achieve the optimal value realization of IT investment.

Based on the results of the audit findings obtained in the sub-domain EDM02.02 Direct Value Optimization reaches the capability level 2 managed process. Defines the type of communication, the category, the criteria for assessing the overall score, establishes conditions for investment, aims to maximize the potential that IT can generate, directs investment and services to align with organizational objectives, and has recommendations in consideration of potential innovations, changes, improvements resulting from IT. The recommendation for this sub-domain EDM02.02 is provide direction for any changes required for accountability and accountability in the implementation of investment portfolios and value assignment of business processes and services, and define and communicate organizational values and conduct effective monitoring measures.

4.2.3 EDM02.03 Monitor Value Optimisation

This process aims to perform monitoring of key goals and metrics to determine the extent to which the business is generating the value and benefits expected from the hotel from IT investments and services. Identify critical problems and consider corrective action.

Based on the results of audit findings obtained in the sub-domain EDM02.03 Monitor Value Optimization reaches the capability level 3 established process. Defining objectives and metrics that measure the activities and outputs of IT and business processes, collect relevant, accurate and timely data for consideration in decision making, take action to obtain IT program and performance reports and review them, take appropriate management actions necessary to ensure that the score is optimized, take action and correct any errors in the review.

The recommendation for this sub-domain EDM02.03 is to maintain the performance that has been done and undertake development.

4.2.4 Capability Levels of EDM02 Ensure Benefits Delivery

From the audit findings on the sub-processes of the domain EDM02, the following in table 2 show the results of the capability level analysis in the domain EDM02.

Table 2. Capability Level Domain EDM02

Sub-Domain Current Expected

EDM02.01 3 3

EDM02.02 2 3

EDM02.03 3 3

Average 2,6

4.3 EDM03 Ensure Risk Optimisation

EDM03 is a domain that is in the area of governance,

this domain serves to ensure that hotel risks related to

IT do not exceed risk appetite and risk tolerance, the

impact of IT risks on hotel value is identified and

managed, and the potential for compliance failure is

minimized.

In this process, there are 3 sub-domains, as follows:

1. EDM03.01 Evaluate Risk Management

2. EDM03.02 Direct Risk Management

3. EDM03.03 Monitor Risk Management

4.3.1 EDM03.01 Evaluate Risk Management

This process aims to examine and make an assessment of the effect of risk on current and future IT use in the hotel. Taking into account the appropriate risk appetite the hotel has and the risks to corporate value associated with IT use are identified and managed. Based on the results of the audit findings obtained in the sub-domain EDM03.01 Evaluate Risk Management has reached the capability level of 2 managed processes. Have a level of risk determination related to IT, evaluate IT risk approval with the level of IT risk that the organization can tolerate, have an assessment of the alignment of IT risk strategies with organizational strategies, evaluate IT proactively and ensure that every decision is risk-conscious, and has risk management to ensure alignment of organizational capacity with IT losses.

The recommendation for this sub-domain EDM03.01 is to maintain the performance that has been done and undertake development.

4.3.2 EDM03.02 Direct Risk Management

This process aims to establish risk management practices to provide adequate assurance that IT risk management practices are appropriate to ensure that the actual IT risks do not exceed the board of directors' risk appetite.

Based on the results of the audit findings obtained in the sub-domain of EDM03.02 Direct Risk Management has reached the 2 managed process capability level. Promote a culture of risk awareness and organizational empowerment in a proactive manner for risk identification, integrate IT and organizational strategies with organizational risk decisions and operations, have a development plan for risk communication, and have briefings about risks, opportunities and problems that can be identified and reported by anyone and anytime. The recommendation for this sub-domain EDM03.02 is to maintain the performance that has been done and undertake development.

4.3.3 EDM03.03 Monitor Risk Management

This process aims to monitor the main objectives and

metrics of the risk management process and monitor how irregularities or problems are identified, tracked and reported for correction.

Based on the results of the audit findings obtained in the sub-domain of EDM03.03 Monitor Risk Management has reached the 2 managed process capability level. Monitoring risks to ensure that risks are managed within risk thresholds, monitoring objectives, analyzing and correcting them to address the underlying causes and reviewing key stakeholders regarding the organization's progress towards objectives.

The recommendation for this sub-domain EDM03.03 is reporting risk management issues to the board or executive committee.

4.3.4 Capability Levels of EDM03 Ensure Risk Optimisation

From the audit findings on the sub-processes of the domain EDM03, the following in table 3 show the results of the capability level analysis in the domain EDM03.

Table 3. Capability Level Domain EDM03

Sub-Domain Current Expected

EDM03.01 2 3

EDM03.02 2 3

EDM03.03 2 3

Average 2

4.4 EDM04 Ensure Resource Optimisation EDM04 is a domain that is in the area of governance, this domain serves to ensure that the hotel's resource requirements are optimally met, IT costs are optimized, and there is the possibility of increasing the realization of benefits and readiness for future changes. In this process, there are 3 sub-domains, as follows:

1. EDM04.01 Evaluate Resource Management

2. EDM04.02 Direct Resource Management

3. EDM04.03 Monitor Resource Management

4.4.1 EDM04.01 Evaluate Resource Management

This process aims to continuously examine and assess current and future requirements for IT-related resources, options for resources (including sourcing strategies), and the principles of allocation and management to meet the hotel's needs optimally.

Based on the results of the audit findings obtained in the sub-domain EDM04.01 Evaluate Resource Management has reached the capability level of 2 managed processes. Have an assessment of current and future IT strategy and provision of resources, define principles for resource allocation and management according to needs, review and approve resource plans and organizational architecture, and have an understanding of how to align financial and human resources.

The recommendation for this sub-domain EDM04.01 is establish the principles of management and control of the hotel architecture.

4.4.2 EDM04.02 Direct Resource Management

This process aims to ensure the application of resource management principles to enable optimal use of IT resources.

Based on the results of the audit findings obtained in the sub-domain EDM04.02 Direct Resource Management reached the capability level 3 established process. Communicates about the adoption of strategies, principles and plans for resource management and an agreed organizational strategy architecture, has assignment of responsibilities in the execution of resource management, defines the main objectives in resource management, establishes principles related to resource protection and harmonizes resource management, finance, organization and planning. The recommendation for this sub-domain EDM04.02 is to maintain the performance that has been done and undertake development.

4.4.3 EDM04.03 Monitor Resource Management

This process aims to monitor the key objectives and metrics of the resource management process and monitor how irregularities or problems are identified, tracked and reported for correction. Based on the results of the audit findings obtained in the sub-domain EDM04.03 Monitor Resource Management reaches the capability level 3 established process. Monitoring the allocation and optimization of resources according to hotel goals and priorities, monitoring IT strategy, organizational architecture, resources and capabilities to ensure current and future organizational needs are met, and monitoring the performance of resources against targets, analysis of deviations and their improvements.

The recommendation for this sub-domain EDM04.03 is to maintain the performance that has been done and undertake development.

4.4.4 Capability Levels of EDM04 Ensure Resource Optimisation

From the audit findings on the sub-processes of the domain EDM04, the following in table 4 show the results of the capability level analysis in the domain EDM04.

Table 4. Ca pability Level Domain EDM04

Sub-Domain Current Expected

EDM04.01 2 3

EDM04.02 3 3

EDM04.03 3 3

Average 2,6

4.5 EDM05 Ensure Stakeholder Transparency EDM05 is a domain that is in the area of governance, this domain serves to ensure that measurement and reporting of IT hotel performance is transparent with stakeholders. Communication to stakeholders is effective and timely and a reporting basis is established to improve performance, identify areas for improvement, and ensure that IT-related goals and strategies are in line with hotel strategy. In this process, there are 3 sub-domains, as follows:

1. EDM05.01 Evaluate Stakeholder Reporting Requirement

2. EDM05.02 Direct Stakeholder Communication and Reporting

3. EDM05.03 Monitor Stakeholder

Communication

4.5.1 EDM05.01 Evaluate Stakeholder Reporting Requirement

This process aims to continuously examine and assess current and future stakeholder requirements and communications.

Based on the audit findings obtained in the sub-domain EDM05.01 Evaluate Stakeholder Reporting Requirements reached the capability level 3 established process. Has an assessment of mandatory reporting requirements and IT use in the organization, checks and assesses current and future mandatory reporting, and maintains communication principles with internal and external stakeholders.

The recommendation for this sub-domain EDM05.01 is to maintain the performance that has been done and undertake development.

4.5.2 EDM05.02 Direct Stakeholder Communication and Reporting

This process aims to ensure the creation of effective stakeholder communication and reporting, including mechanisms to ensure the quality and completeness of information, mandatory reporting oversight, and a communication strategy for stakeholders. Based on the results of the audit findings obtained in the sub-domain EDM05.02 Direct Stakeholder Communication and Reporting reached the capability level of 2 managed processes. Establish a communication strategy with internal and external stakeholders, ensure information meets the criteria, and has a mechanism for validation in mandatory reporting. The recommendation for this sub-domain EDM05.02 is establish escalation (increase) reports.

4.5.3 EDM05.03 Monitor Stakeholder Communication This process aims to monitor the effectiveness of communication from stakeholders and assess the accuracy and ensure that information needs are properly met.

Based on the results of the audit findings obtained in the sub-domain EDM05.03 Monitor Stakeholder Communication reaches a capability level of 3 established process. Periodically assessing the effectiveness, accuracy and reliability of mandatory reporting, periodically assessing the effectiveness of communication between stakeholders, and ensuring that stakeholder needs have been met. The recommendation for this sub-domain EDM05.03 is to maintain the performance that has been done and undertake development.

4.5.4 Capability Level of EDM05 Ensure Stakeholder Transparency

From the audit findings on the sub-processes of the domain EDM05, the following in table 5 show the results of the capability level analysis in the domain EDM05.

Table 5. Ca pability Level Domain EDM05

Sub-Domain Current Expected

EDM05.01 3 3

EDM05.02 2 3

EDM05.03 3 3

Average 2,6

4.6 Gap Analysis of Domain EDM

Based on the results of the analysis carried out, it produces an average level of capability in each domain. Therefore, the next step is to compare the results obtained with the expected or what is called expected. The following is a gap analysis which can be seen in Table 6 show the summary of Gap Analysis on Domain Evaluate, Direct, and Monitor (EDM).

Table 6. Summary of Gap Analysis Domain EDM

V. Conclusion

Based on the results of the analysis carried out in this study, the authors conclude that the Harris Vertu Harmoni hotel has a process of regulating and maintaining a governance framework, a process of value optimization, risk optimization, resource optimization and stakeholder transparency that is quite good, but it is necessary to make improvements because there was an average level of capability which was still below the expected level, specifically 3 established process.

In the domain EDM01 Ensure Governance Framework Setting and Maintenance has an average capability level of 3 so that the capability level in this domain is 3 established processes, in the domain EDM02 Ensure Benefits Delivery has an average capability level of 2.6 so that the capability level in this domain is 2 managed process, in the domain EDM03 Ensure Risk Optimization has an average capability level of 2 so that the capability level in this domain is 2 managed processes, In the domain EDM04 Ensure Resource Optimization has an average capability level of 2.6 so that the capability level in this domain is 2 managed process, in the domain EDM05 Ensure Stakeholder Transparency has an average capability level of 2.6 so that the capability level in this domain is 2 managed processes. From the results of the audit findings, recommendations for improvement, development and periodic audits are also given to monitor recommendations that will be implemented so that they can continue to be implemented optimally and develop well and the purpose of these improvements is also so that the implementation of information system at the Harris Vertu Harmoni hotel can be better in the future and work according to expectations.

References

[1] R. Widayanti & L. Purnamawati, "Information Audit System in the Audit Management System (SMP) Application of the Audit Board of the Republic of Indonesia," Forum Ilmiah, 2013, Volume 10 Nomor 2, pp.262-272.

Domain Average of Capability Level Expected Level Gap

EDM01 3 3 0

EDM02 2,6 3 0,4

EDM03 2 3 1

EDM04 2,6 3 0,4

EDM05 2,6 3 0,4

[2] Elly & F. Halim, "Evaluation of IT Infrastructure Governance Using COBIT 5 Framework (Case Study: STMIK-STIE MIKROSKIL)," SEBATIK, 2018, pp.74-82.

[3] R. E. Putri, "IT Risk Optimization Process Capability Assessment Model Based on COBIT 5," Seminar Nasional Informatika (semnasIF), 2015, pp.252-258.

[4] A. Ichwani & A. D. Farida, "Measurement of the Capability Level of Risk Management for Sharia Cooperative Information Systems Using the COBIT 5 Framework," Jurnal Komputasi, 2020, Vol 8 No 1, pp.1-14.

[5] Harris Vertu Hotels. (2020, Mei 12). Vertu Hotels. Available: https://www.vertuhotels.com/en-US/Harmoni

[6] J. F. Andry & K. Christianto, Audit Using COBIT 4.1 and COBIT 5 With Case Study. Yogyakarta, Teknosain, 2018.

[7] ISACA. Enabling Processes. USA: ISACA, 2012.

[8] ISACA. A Business Framework for the Governance and Management of Enterprise IT. USA: ISACA, 2012.

[9] ISACA. ISACA's COBIT® Assesment Programme (based on COBIT® 5). ISACA, 2014.

[10] ISACA. COBIT® Supplementary Guide for the COBIT 5 Process Assesmment Model (PAM). USA: ISACA, 2012.

[11] J. F. Andry, "Performance Measurement of IT Governance: A Case Study," Jurnal Sistem Informasi MTI-UI, 2016, pp.1-7.

Devi Yurisca Bernanda is Lecturer in Department of Information Systems, Faculty of Technology and Design, University of Bunda Mulia, North Jakarta, 114430, Indonesia. She received his Master of Computer Science from Bina Nusantara University. Her research interests are in the area of Information System, Software Testing, Knowledge Management and Enterprise Architecture. She has publish article in Journal of Theoretical and Applied Information Technology indexed by Scopus with title Improving Quality of SMEs Information System Solution with ISO 9126 and International Journal of Advanced Trends in Computer Science and Engineering with title The Influence of Social Media and Knowledge Management to Improve Employees Creativity etc.