Audit of IT Governance Based on COBIT 5 Assessments: A Case Study

AbstractAbstractAbstract ———— Training Center in Jakarta offers a certification program for the individuals and companies who wish to search for or Training Center in Jakarta offers a certification program for the individuals and companies who wish to search for or Training Center in Jakarta offers a certification program for the individuals and companies who wish to search for or Training Center in Jakarta offers a certification program for the individuals and companies who wish to search for or complement international scale IT certifications. The certification program consists complement international scale IT certifications. The certification program consists complement international scale IT certifications. The certification program consists complement international scale IT certifications. The certification program consists of training certification exam preparation and of training certification exam preparation and of training certification exam preparation and of training certification exam preparation and certification exams. The purpose of this research is to get an overview of the performance of information technology governan certification exams. The purpose of this research is to get an overview of the performance of information technology governan certification exams. The purpose of this research is to get an overview of the performance of information technology governan certification exams. The purpose of this research is to get an overview of the performance of information technology governance in ce in ce in ce in order to determine the extent of the capabilities of information technology g order to determine the extent of the capabilities of information technology g order to determine the extent of the capabilities of information technology g order to determine the extent of the capabilities of information technology governance in the Training Center which is currently running, overnance in the Training Center which is currently running, overnance in the Training Center which is currently running, overnance in the Training Center which is currently running, with a few aspects to consider such as effectiveness, efficiency, functional unit of information technology within an organiz with a few aspects to consider such as effectiveness, efficiency, functional unit of information technology within an organiz with a few aspects to consider such as effectiveness, efficiency, functional unit of


K K K Kata Kunci ata Kunci ata Kunci
ata Kunci----Audit, IT Governance, COBIT 5. Audit, IT Governance, COBIT 5. Audit, IT Governance, COBIT 5. Audit, IT Governance, COBIT 5. Fadzil et al (2005), the technology revolution in accounting and auditing began in the summer of 1954 with the first operational business computer [1], [2].Nowadays, most of the management agrees on necessity of considering IT as an "organizational strategic player".As organization's strategy changes over time, IT has to change too [3].

I. INTRODUCTION According to
IT governance is a process by which the objectives of the entity that give impact on Information technology are agreed, directed, and controlled [4], [5].The primary focus of IT governance is on the responsibility of the board and executive management to control formulation and the implementation of IT strategy, to ensure the alignment of IT and business, to identify metrics for measuring business value of IT and to manage IT risks in an effective way [6].Companies commonly use governance control frameworks to establish and assess control processes.The use of frameworks for the construction and evaluation of IT controls results in more reliable and comprehensive control systems (Tuttle and Vandervelde, 2007).This study uses the COBIT control framework to evaluate the performance of IT control governance in freight forwarding companies [7].IT governance is a concept that has suddenly emerged and become an important issue in the information technology field.Precisely when this new challenge began surfacing is unknown, but it is now a discussion issue within most organizations [8].Information technology (IT) governance is a relatively new subset of corporate governance that focuses on the management and assessment of strategic IT resources.Key objectives of IT governance are to reduce risk and ensure that investments in IT resources add value to the corporation [9].IT Governance (ITG) is the vital and unique solution to ensure positive returns [10], [11].
ISSN 2476 -8812 Johanes Fernandes Andry: Audit of IT Governance … The purpose of this research is to get an overview of the performance of information technology governance in order to determine the extent of the capabilities of information technology governance in the Training Center which is currently running, with a few aspects to consider such as: effectiveness, efficiency, functional unit of information technology within an organization, the data integrity, safeguarding assets, reliability, confidentiality, availability, and security [23].The benefits of this research was to determine the level of process capability model IT in the Training Center using COBIT 5, focused to domain DSS (Deliver Service and Support).

A. Audit
Business organizations undergo different types of audits for different purposes.The most common of these are external (financial) audits, internal audits, and fraud audits.An IT audit focuses on the computer-based aspects of an organization's information system; and modern systems employ significant levels of technology [9], [24].Audit is playing an important role in developing and enhancing the global economy and business firms [12].Ron Weber (1999) argued that Information systems auditing is the process of collecting and evaluating evidence to determine if a computer system safeguards asses, maintain data integrity, allow organizational goals to be achieved effectively, and use resources efficiently [13].

B. IT Governance
Information Technology Governance Institute (ITGI) (2003) defined IT Governance as "it is the responsibility of the board of directors and executive management.It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure the organization's IT sustains and extends the organization's strategies and objectives" [14].IT governance is the structure of relationships, processes and mechanisms used to develop, direct and control IT strategy and resources so as to best achieve the goals and objectives of an enterprise.It is a set of processes aimed at adding value to an organization while balancing the risk and return aspects associated with IT investments [15].
Gartner defines IT governance as the set of processes that ensure the effective and efficient use of IT enabling an organization to achieve its goals.IT is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure the organization's IT sustains and extends the organization's strategies and objectives.Doughty defines IT governance to be a framework that supports the effective and efficient management of information resources (e.g.people, funding and information) to facilitate the achievement of corporate objectives.The focus is on the measurement and management of IT performance to ensure that the risks and costs associated with IT are appropriately controlled [16].Gartner states that IT governance addresses two major topics: IT demand governance ("doing the right thing") and IT supply-side governance ("doing things right").The focus of this paper is on COBIT 5 framework and how it covers both the governance and management of IT [17].In 2005 ISACA introduced a new, fourth version of COBIT with a clear focus on IT governance [18].A further version of this framework is COBIT 4.1, released in 2007, accepting the generally used frameworks such as "IT Infrastructure Library (ITIL)", "ISO 27000 series" and "Capability Maturity Model® Integration (CMMI)" [19].The current version of the framework, COBIT 5, was released in 2012.The COBIT 5 process reference model is the successor of the COBIT 4.1 process model, with the Risk IT and Val IT process models integrated as well.Figure 1.COBIT 5 Process Reference Model, shows the complete set of 37 governance and management processes within COBIT 5.

C. COBIT 5
According to [20], [22]  The process is not placed or it cannot reach its objective.At this level the process has no objective to achieve.For this reason this level has no attribute.Level 1: Performed process.
The process is in place and achieves its own purpose.This level has only "Process Performance" as process attribute.
The process is implemented following a series of activities such as planning, monitoring and adjusting activities.The outcomes are established, controlled and maintained.This level has "Performance Management" and "Work Product Management" as process attributes.
The previous level is now implemented following a defined process that allows the achievement of the process outcomes.This level has "Process Definition" and "Process Deployment" as process attributes.
This level implements processes within a defined boundary that allows the achievement of the processes outcomes.This level has "Process Management" and "Process Control" as process attributes.
This level implements processes in the way that makes it possible to achieve relevant, current and projected business goals.This level has "Process Innovation" and "Process Optimisation" as process attributes.
In COBIT 5 to achieve a given level of capability, the previous level has to be completely achieved [20].

III. RESEARCH METHOD
This paper is the result of a practical research.The type of data gathering is questionnaire [21].Field observations, this research are a survey approach.The analytical tool used in this study is the standard procedure COBIT issued by ISACA (Information systems Audit and Control Association), the data can be obtained by various methods, namely: The questionnaire, which is by distributing questionnaires to every part belonging to management, the number of scattered management is 5.In addition, a questionnaire distributed to the user a number of 45 respondents, so the overall total respondents obtained is 50.
Reporting, after questionnaires were distributed, it will get the data to be processed to be calculated based on the maturity level calculation.For further made several steps in reporting that the results of the audit contains the findings of the present (current level) and hope in the future (expected level), performed gap analysis to analyze the interpretation of the current level and expected and recommendation lists corrective actions to overcome gap undertaken to achieve the improvements made to the institution.Figure 2   IV.RESULT AND ANALYSIS Training Center (here in after call as TC) is a business company has been running since 2012 has had experience delivering information technology solutions and professional services for many companies in Indonesia, from small medium business until enterprises.The ability and success of the company in providing training not only supported by a solid team which consists of professional trainers who are advanced in their field but also of factors of cooperation from a client that was maintained well up to now, both for training public and in-house training.TC provide Security, Data Center, Network Infrastruktur, Database, Application and Mobile Development, Virtualization, Web Design and Programming.Company goal is to give the best learning & services method to create professional human resources.To support our goal, we have the state of art facilities and the best professional instructor.TC cooperate with authorized Testing Center by Pearson Vue to provide international certification such ISACA, Microsoft, Cisco etc. Business process in TC are, first client request training, then submit attende of trainee and generate purchase order, staff or sales TC make schedule training, process to fixed schedule between trainee and trainer more many times.When to fixed schedule, trainer will deliver subject training to trainee.After sesion of training, attende will give certification of attende and report to client include given invoice from finance or staff TC to finance of clien.All of this process can see Figure 3. Business process in Training Center.

Figure 3. Busines Process in Training Center
This chapter, the author will analyze general control with the COBIT framework approach.Authors will analyze more to the environment that occur within the IT department TC, from employees, equipment, physical security, regulations, etc [23], [24]. A.
DSS01 Manage Operations In this stage the author will analyze deliver IT operational service outcomes as planned, with process description is coordinate and executes the activities and operational procedures required to deliver internal and outsourced IT services, including the execution of pre-defined standard operating procedures and the required monitoring activities.Expected process capability model of DSS01 manage operations is level 4, predictable process [22].In more detail are sub domains, see Table 2. Process Capability Domain DSS01 Manage Operations.
Concluded the average DSS01 being at the level 2.8, Managed Process.
ISSN 2476 -8812 Johanes Fernandes Andry: Audit of IT Governance … V. CONCLUSION This study provides an overview on IT governance, the necessity of IT governance in training center, COBIT framework and the concepts related to the framework implementation.In order to reach effective IT governance, the business and IT should be understand each other.The result of this audit training center is business and IT management are aware of the impact of not managing performance and capacity.Performance needs are generally met based on assessments of individual systems and the knowledge of support and project teams.Availability problems are likely to occur in an unexpected and random fashion and take considerable time to diagnose and correct.
The summarizes that can be drawn from the research that has been done is IT governance at the Training Center has been done, although still not run optimally because they have not reached a level of maturity that is expected later process capability model within each IT process contained in the domain Deliver Service and Support (DSS) on average was at 2.2 until 2.8 (managed process), and IT governance processes in TC has a pattern that repeatedly do.

Figure 1 .
Figure 1.COBIT 5 Process Reference Model to show Step by Step Index Level Proses Capability Model[21].

Figure 2 .
Figure 2. Step by Step Index Level Proses Capability Model the six levels of the COBIT 5 Process Capability Model are: