Maturity Evaluation of Information Technology Governance in PT DEF Using Cobit 5 Framework

Information technology governance is used to guide and control an organization in achieving the goals that had been planned in advance. PT DEF is a company which utilizes information technology to support its business processes. Nevertheless, it indeed requires an IT governance that can be beneficial as a reference for IT activities in order to run properly. This research intends to conduct an audit of information technology governance based on the COBIT 5 framework domain, which is DSS (Deliver, Service and Support) domain in the process of DSS03 (Manage Problems). According to the research results, the values that have been obtained from the process of DSS03 capability level was 64.66%, that is regarded as Partially Achieved. Capability level will be used as a reference in seeking gap contained in the domain of DSS03 process. Furthermore, these would be able to make recommendations aimed at increasing the value of the expected maturity. This research contributes to the evaluation results and recommendations to improve the capability level on DSS03 domain, hence PT DEF can upgrade its IT governance by using DSS03 process.


Introduction
Governance is helpful to guide and control an organization in achieving the goals that had been planned in advance. The presence of information technology governance would likely support an organization to perform its IT in order to be more focused and able to coordinate between the process and existing benefits [1] [2]. In obtaining these purposes requires a control mechanism or information technology audit to assume the extent of IT governance [3].
One of the companies that have been performed information technology to support its operating system is PT DEF. PT DEF is one of the companies which engaged in the field of electricity and utilizes IT to gain its operational activities. However, upon on observations that have been done, PT. DEF does not have a certain rule yet in the governance of IT and tend to perform activities on the circumstance of sudden and unfocused in the handling of IT. This probably cause IT performances in the organisasion become deficient. Therefore, PT DEF needs an audit of technology governance. Audit information technology system is an activity that enables to measure p-ISSN: 2540-9433; e-ISSN: 2540-9824 how proper a system of information that has been running in the organization. Audit information system emphasizes on some vital aspects which are checking whether the computerized organization system can support asset security, whether it can support the achievement of the organization, whether it is already utilizing resources efficiently, and whether consistency is guranteed and whether the data is accurate.
When conducting the audit of information technology governance, there is a standard that can be engaged and recognized globally. One of these standards that may be useful is Control Objectives for Information and related Technology 5 (COBIT 5) released by IT Governance Institute (ITGI), which is part of ISACA [4][5] [6].
Based on the mapping of COBIT 5 Enterprise Goals to IT related Goals has been obtained a single process in the domain that is DSS domain (Deliver, Service and Support) on DSS03 process (Managing Problems). The description of DSS03 process is to determine problems in a company along with its causes, and then presents the resolution for certain period to prevent the recurrence of incidents and provide recommendations for improvement [7].
On early research, the standard of COBIT 4.1 framework in auditing information technology governance took place in PT PLN Kediri. The research was conducted to determine the extent of information technology governance that have been run on the domain to all domain of COBIT 4.1 which are domain Plan Organize (PO), Deliver Support (DS), Monitor Evaluate (MO), and Acquire Implement (AI). This study had results in the evaluation and recommendations for improvement that can be applied to PT. PLN Kediri, in which company would be able to arrange planning of IT infrastructure development procedures asociates with domain of COBIT 4.1 [8].
The implementation of the COBIT framework is also engaged in another research. This current research was presented about the tools for client-vendor to communicate is capable of supporting multiple functions of IT controls which are regulated by the COBIT framework. In addition, domain of COBIT framework is worthwhile to coordinate both communication and control for project development (Gantman & Fedorowicz 2016). COBIT and ISO 27001 is applied to evaluate the information technology security in the insurance companies. The subjective of this research is to indicate how vital the role of data security evaluation in the insurance companies, because the customers' data is something that is confidential and important [9].
Based on the issues mentioned above, this research is conducted using the COBIT 5 framework standards in auditing information technology governance at PT DEF. This research is conducted to determine the extent of IT governanceein the DSS domain of DSS03 process that has been run by PT DEF. Due to the exixtence of information technology audit governance, there is expected to provide a reference for improving the information technology governance in order to run business objectives properly as planned. 2.1 COBIT 5 COBIT 5 is a framework used to measure and improve IT governance [10] [11]. COBIT_was selected because it has ability both of IT control and provides IT measurement framework for analysis of objects that needs to be repaired [12]. There are five main principles in COBIT 5 as follows [13]:

Meeting Stakeholders Needs
It is necessary for companies to consider all stakeholders who involved, when making decisions related to advantages, resources and risk assessment decisions.

Covering the Enterprose End to End
COBIT 5 does not only concern over the governance of IT functions but also considers information technology as an asset that must be protected as much as any other asset in the organization. 3. Applying a Single Integrated Framework COBIT 5 enables for being used by organizations as comprehensive governance and integrator governance framework. 4. Enabling a Holistic Approach COBIT 5 is defined as a group of enablers that supports to apply comprehensive governance.

Separating Governance and Management
This principle explains that within the framework COBIT 5 makes a solid differentiation between management and governance. COBIT 5 defines the information technology activities into five domains, as follows:  Scouting to solutions delivery (BAI) and availability of service and support (DSS) BAI (Build, Acquire and Implement) Providing solutions and through it, so that it will turn out to be a service DSS (Deliver, Service and Support ) Accepting solutions and beneficial to the final users. MEA(Monitor,Evaluate,and Assess) Monitoring within processes so that the rules are followed correctly.
The method used in this research at PT DEF based on COBIT 5 framework is as follows:  Based on interviews conducted with employees at PT DEF had been obtained mapped enterprise goals in IT related field for mapping process and evaluation. Mapping results can be seen in the following table: Integrating_technology into a business process to_support and empower business processes.

DSS03-Manage Problems
The next stage, data was developed to guide the capability level of COBIT 5. Below is the translation of recapitulation calculation formula in order to obtain the stage of Capability Level: Assessing the capability levels [14] are divided into stages as follows:

3.1
Capability Level Measurement DSS03 process is a 'Manage Problems', according to ISACA (2012), Manage Problem is a description of DSS03 process to identify problems and then provides_resolution for certain period to prevent the recurrence of incidents and presents recommendations for improvement. This research utilizes sub domain of DSS03 which are: Diagnose problems DSS03-BP3 Lift the known error DSS03-BP4 Resolve_and close the problem DSS03-BP5 Perform_problem_management proactively Rate capability level was obtained with the calculation of interviews recapitulation, and then measure the rate of capability level on DSS03 process based on the level of response capability. Based on recapitulation data above, the calculation results of capability level on DSS03 process had the results of 64.66% which means 'Partially Achieved'. While stands on level 1 the activity is called 'Manage Change Acceptance and Transitioning', the process is still at the stage of planned and monitored has not been implemented fully.

3.2
Maturity Rate Analysis Current Capability is the average value of maturity level from the actual circumstance (As Is) of DSS03 process, while Expected Capability is the average value of maturity target level expected (To be) to determine the average results. Capability Level can be seen as follows: Based on table data of Value Gap Capability Level as-is by to-be Domain DSS of DSS03 process above, could be obtained graphic as follows: Below is gaps description or gap in every domain of DSS03 which have been found by the researchers: According to the audit findings have been made in the research, hence recommendations have been made in order to support increasing value of maturity IT governance at PT DEF. Recommendations can be given for improvement toward governance processes are as follows: 1) PT DEF needs to be aware of the need for risk management issues, yet there is still uncertain formal procedures and processes that do not well organized. 2) If there is a damage or issue on the system, PT DEF side could make improvements individually and carried out in conditions of a sudden which have no formal procedures and documents. 3) While addressing issues or interruptions on existing IT infrastructure, PT DEF will monitor the damage first, but the maintenance is done by suddenly without any standard procedures.

Fixing Recommendations
Once the results audit of bussiness processes have been determined. The results of the capability level also could be gained, those then may used to arrange a table of recommendations and improvements to achieve the target (To be). This improvement recommendations derived from the calculation results analysis and the level capability gap analysis as a form of design solutions to provide a proposed improvement. Proposed improvements are arranged directly so companies would be able to increase its level of maturity as expected. Determining recommendation is done by providing repair solutions for every process that has not fullest to the 100%. It begins from the whole process which contained on maturity rate at levels that must be completed. Recommendations can be given to repair IT governance processes as follows: 1) Perform the analysis and evaluation of errors that have occurred in each steps in the workability of IT projects on a regular basis. 2) Arrage a risk analysis that may occur in the future, for example, the risk when the network or server is down or one of the tools is damaged. Thus, design solutions asosiates with potencial issues. 3) Arrange cost analysis for mistakes should have been made. 4) Display the potencial risk analysis with proper format. 5) Perform documentation towards repairment issues, thus if there is unexpected issue takes place could be handle easily.

Conclusions
The evaluation results of information technology governance audit in PT. DEF according to the calculation value of capability level of DSS03 process was 64.66% which regarded as Partially Achieved and stood ini level 1 of capability. Value gap between present value (as-is) and expected value (to-be) on DSS domain in the DSS03 p-ISSN: 2540-9433; e-ISSN: 2540-9824 process in PT DEF was based on capability level calculation which has a plenty gap. Purposes recomendations that may be used to increase the rate of every domain of COBIT 5 process, so it can be useful as fixing recommendation for companies. This research presents such prosedures to evaluate the process of IT governance in certain company asosiates with COBIT 5 framework. For upcoming study, researchers would compare results of IT governance audit between COBIT 4.1 and COBIT 5 which would apply in the companies.