Information Technology Governance Audit Using
the COBIT 5 Framework at XYZ University
George Morris William Tangka Andrew Tanny Liem
Department of Computer Science Department of Computer Science
Universitas Klabat Universitas Klabat
Airmadidi, Indonesia Airmadidi, Indonesia
gmwtangka@gmail.com andrew.heriyana@unklab.ac.id
2020 2nd International Conference on Cybernetics and Intelligent System (ICORIS) | 978-1-7281-7257-6/20/$31.00 ©2020 IEEE | DOI: 10.1109/ICORIS50180.2020.9320803
Abstract—Information Technology (IT) governance is a
collection of processes that aim to ensure the suitability of IT
implementation with its support for achieving organizational
goals. Good IT governance can help support the organization's
success in achieving its goals. To find out the extent to which IT
governance is implemented, IT governance needs to be audited.
In its development, IT has been applied in various places, one of
which is the University. IT implemented in the University is a
concept that answers the needs of the organization to guarantee
the return of invested IT. Without IT governance, it can be a
waste of IT investment done. XYZ University is one of several
universities that have implemented IT to support data services
and management. The implementation of IT at XYZ university
has never been audited. The purpose of this study was to
conduct an audit of the IT governance that was implemented. IT
governance audit is carried out based on the COBIT 5
framework. This research uses a descriptive method. Based on
the results obtained from the analysis carried out, IT
governance at XYZ university is still at the level of capability
level 0 - Incomplete Process with the acquisition of capability
values averaging 0.5. Researchers provide advice for the
University to improve IT governance that has been implemented
so that in the future it can achieve a higher level of capability.
Keywords— IT Governance, IT Audit, COBIT 5, Capability
Level
I. INTRODUCTION
Information technology (IT) plays an important role in
supporting the activities and business processes of an
organization. Some important roles of IT in an organization,
among others, as a means to assist an organization in realizing
efficiency between management and operational perspectives,
improving service quality to consumers, and IT can also be
used as a basis for assisting decision making. To achieve this,
good and correct management of IT is needed so that IT can
be utilized to support the organization's success in achieving
its goals. The success of organizational governance depends
on how far IT governance is applied [1].
The competitiveness of an organization depends heavily
on IT governance because good IT governance can help
organizations maximize the benefits of implementing IT. IT
governance is a procedure and set of processes that aim to
ensure the suitability of IT implementation with its support for
achieving organizational goals, controlling the use of IT
resources and managing risks associated with IT. IT
governance also controls all stages in the IT solution life cycle
to maintain harmony between IT and organizational strategies
to achieve the organization's business goals. IT governance is
needed because IT is no longer only seen as a supporting
element of business processes but has been seen as part of a
business strategy. For this reason, an IT audit is needed to
determine the extent to which IT has been implemented to
help achieve organizational goals [2].
Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 19,2021 at 05:52:47 UTC from IEEE Xplore. Restrictions apply.
Joe Yuan Mambu
Department of Computer Science
Universitas Klabat
Airmadidi, Indonesia
joeyuan.mambu@unklab.ac.id
Information technology audits have several standards that
are used for research [3]. Examples of these standards are the
Information Technology Infrastructure Library (ITIL) and
Control Objectives for Information and Related Technologies
(COBIT). ITIL focuses on services for customers and does not
provide a process of aligning the company's strategy with IT
strategies. COBIT provides detailed IT Governance and
control objectives framework for managers, business process
owners, users, and auditors because it manages information
technology holistically so that the value provided by IT can be
achieved optimally by taking into account all aspects of IT
governance [4]. COBIT continues to grow until now two
versions are often used, namely COBIT 4.1 and COBIT 5. In
COBIT 5 there are new processes that were previously not in
COBIT 4.1. So, the processes at COBIT 5 are more holistic
and cover aspects of corporate governance and IT
management [5]. For instance, a study in [6] was measuring
and evaluating the attendance system in a body and repairs
services company by using COBIT 5. Moreover, in [7]-[9]
also use COBIT in different types of company, such as internet
service provider, oil palm, higher education, respectively.
Therefore COBIT 5 is considered appropriate and can assist
in the information technology audit process because it covers
all elements of the information technology used and one of the
organizations implementing IT is the university.
The University is an educational institution consisting of
several faculties that carry out scientific and professional
education in several scientific disciplines to educate the life of
the nation. The university provides academic degrees in
various fields. IT is positioned as a means of increasing
knowledge and at the same time providing maximum service
for all university stakeholders [10].
IT in a university is a concept that answers the needs of the
organization to guarantee the return of invested IT investment.
Without IT governance, the risk of IT investment and service
failure can result. Most IT governance in higher education is
still not done optimally [2].
XYZ University is one of the various universities in North
Sulawesi. XYZ University has implemented IT to help service
and process data. IT management at XYZ University is still
done in two ways, namely, computerized and manual so that
IT integration has not been optimal which has resulted in IT
not being able to provide solutions to business changes
properly. On the other hand, IT applied at XYZ university has
never been audited.
Therefore, this research was conducted to make a report
on the results of IT governance audits at XYZ University. This
research has gone through several stages starting from needs
analysis, to report writing and giving
recommendations/suggestions on the results of IT governance
audits that are in line with the current business model. To
examine IT governance at XYZ University, researchers used
the COBIT 5.0 framework.
 II. RESEARCH METHOD
This research uses a descriptive evaluation method. This
study aims to measure the results or effects of activity by
comparing them with the intended goals [11]. The results
obtained will be described using scientific procedures to
answer the problem in real-time.
A. Research Design
The research design used was descriptive research design.
Descriptive research is research that aims to describe the
current situation by using scientific procedures to answer
actual problems.
B. Data Source
The researcher uses primary data and secondary data.
Primary data is data obtained by researchers directly.
Secondary data is data obtained by researchers from existing
sources.
C. Data Collection Technique
The researcher observes and runs a questionnaire to collect
the data needed in the current study. The questionnaire was
developed based on the COBIT 5 framework which refers to
the processes related to the customer section (Balance Score
Card) BSC [12]. Therefore, it does not need to be tested for
validity and reliability. The questionnaire chosen by the
researcher was based on the results of the organization's vision
& mission mapping into the COBIT process 5. This
questionnaire was distributed to deans, heads of departments
under the vice-chancellors 1 and 3, and vice-chancellor 1 and
vice-chancellor 3.
D. Process Mapping COBIT 5
In conducting mapping, researchers use a top-down
approach. The top-down approach is carried out from the
mapping of policy directions or organizational structures that
can be seen in the organization's vision and mission statements
and adapted to existing IT problems. The organization's vision
& mission statement is mapped to the enterprise goal COBIT
5 [13]. Furthermore, enterprise goals related to the company
vision and mission are mapped to IT related goals which are
then mapped again into the COBIT 5 process. This mapping
focuses on the BSC customer section only.
After mapping, a number of COBIT 5 processes on the
BSC customer section were found as follows:
1) EDM01: Ensure Governance Framework Settings
and Maintenance
2) EDM02: Ensure Benefits Delivery
3) EDM05: Ensure Stakeholder Transparency
4) APO02: Manage Strategy
5) APO08: Manage Relationship
6) APO09: Manage Service Agreement
7) APO10: Manage Suppliers
8) APO11: Manage Quality
9) BAI02: Manage Requirements Definition
10) BAI03: Manage Solution Identification and Build
11) BAI04: Manage Availability and Capacity
12) BAI06: Manage Changes
13) DSS01: Manage Operations
14) DSS02: Manage Service Requests and Incidents
15) DSS03: Manage Problems
16) DSS04: Manage Continuity
17) DSS06: Manage Business Process Controls
Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 19,2021 at 05:52:47 UTC from IEEE Xplore. Restrictions apply.
18) MEA01: Monitor, Evaluate and Assess
Performance and Conformance
III. RESULTS AND DISCUSSION
Before you begin to format your paper, first write and save
the content as a separate text file. Complete all content and
organizational editing before formatting. Please note sections
A-D below for more information on proofreading, spelling
and grammar.
The process of evaluating IT governance using
COBIT 5 includes 18 processes based on the results of the
organization's vision & mission mapping into the COBIT
process 5. The measurement results are based on the indicators
of each process [8]. The overall assessment results of each
COBIT 5 control objective can be seen in Fig. 1. The average
achievement of IT governance at UKLAB is 0.5, meaning that
most IT processes have been carried out but have not yet
achieved the objectives of the IT process. For example, when
IT-related problems arise and are dealt with, there is no record
of these problems. As a result, the same types of problems can
occur repeatedly [14]. From Fig. 1, it can also be seen that the
domain that reaches the highest value is the DSS domain of
0.57 and the domain that reaches the lowest value is the MEA
domain of 0.37.
Fig. 1. Results of Capability Levels of each Domain
From the results of this study, it can be concluded that
XYZ universities need to make improvements as well as
improvements to the MEA01 domain especially in the
MEA01 process: Monitor, Evaluate and Assess Performance
and Conformance.
A. EDM Domain Results (Evaluate, Direct, and Control)
EDM domains relate to stakeholder governance objectives
- value delivery, risk optimization, and resource optimization
- and include practices and activities aimed at evaluating
strategic options, providing direction to IT and monitoring
results. In the EDM domain, there are 3 processes examined
based on the results of the mapping in the previous section.
These processes are EDM01, EDM02 & EDM05. Overall, the
achievement of the EDM domain is 0.49.
Based on Fig. 2. it can be seen that the EDM domain that
achieves the highest value is the EDM05 process: Ensure
Stakeholder Transparency of 0.62. This means that the process
has been implemented but most of the outcomes of the process
have not been achieved. The outcome of a good EDM05 is
that communication to stakeholders is effective and timely and
the basis for reporting is set to improve performance, identify
areas for improvement, and ensure that IT-related goals and
strategies are in line with organizational strategy [13].
Fig. 2. EDM domain Results
B. APO Domain Results (Align, Plan, Organize)
This domain includes strategies and tactics and identifying
the best ways IT can contribute to achieving business goals.
The realization of a strategic vision needs to be planned,
communicated and managed for a different perspective. The
right organization, as well as technological infrastructure,
must be enforced [15]. In the APO domain, there are 5
processes examined based on the results of the mapping in the
previous section. These processes are APO02, APO08,
APO09, APO10 & APO11. Overall, the achievement of the
APO domain is 0.53.
The process that reaches the highest score is APO11:
Manage Quality with a value of 0.7 followed by APO08:
Manage Relationship with a value of 0.59 as illustrated in Fig.
3. This shows that both processes have been implemented and
most of the outcomes of each process have been achieved. The
outcome of the APO11 and APO08 processes is the delivery
of consistent solutions and services to meet company quality
requirements and meet stakeholder needs and increase self-
confidence (IT parties), trust in IT and effective resource use
[13].
Fig. 3. APO domain Results
In contrast to APO02: Ensure Benefits Delivery which
only reaches a value of 0.4, which means that the
implementation of the APO02 process has been carried out but
unfortunately, most of the outcomes of this process have not
been achieved. For example, XYZ university has an IT
strategic plan that is aligned with business objectives, but
unfortunately, the purpose and accountability of IT strategic
plans are still not communicated [13].
Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 19,2021 at 05:52:47 UTC from IEEE Xplore. Restrictions apply.
C. BAI Domain Results (Build, Acquire and Implement)
This domain provides solutions and continues them to be
converted into services. To realize an IT strategy, IT solutions
need to be identified, developed or acquired and implemented
and integrated into business processes. Changes and
maintenance of existing systems are also covered by this
domain, to ensure that solutions continue to meet business
objectives [16]. In the BAI domain, there are 4 processes
examined based on the results of the mapping in the previous
section. These processes are BAI02, BAI03, BAI04, &
BAI06. Overall, the achievement of the BAI domain is 0.52.
Based on Fig. 4. the process that gets the highest score is
BAI04: Manage Availability and Capacity, the value obtained
is 0.62. This means that the process has been implemented and
part of the process outcome has been achieved. The outcome
of a good BAI04 is maintaining service availability, efficient
resource management, and optimizing system performance
through predicting future performance and capacity
requirements [13].
The achievement of the lowest value for the BAI domain
is BAI06: Manage Changes, which is equal to 0.44, which
means that XYZ universities have implemented this process,
however, most of the process outcomes are not achieved. The
good outcome of the BAI06 process is to allow the delivery of
rapid and reliable changes to business and risk mitigation to
have a negative impact on changing environmental stability or
integrity [13].
Fig. 4. BAI domain Results
D. DSS Domain Results (Deliver, Support, and Service)
The DSS domain accepts solutions and makes them usable
for end users. This domain relates to the actual provision and
support of needed services, which include service provision,
security and continuity management, service support for
users, and data management and operational facilities [15]. In
the DSS domain, there are 5 processes examined based on the
results of the mapping in the previous section. These processes
are DSS01, DSS02, DSS03, DSS04, & DSS06. Overall, the
achievement of the DSS domain is 0.57 as shown in Fig. 5.
In this domain, the process that achieves the highest score
is DSS03: Manage Problems. The value achieved is 0.77,
which means that the process has been implemented and most
of the process outcomes have been achieved. The outcome of
this process is increasing availability, improving services,
reducing costs, and increasing customer comfort and
satisfaction by reducing the number of operational problems
[13].
For the DSS02 process: Manage Service Requests and
Incidents and DSS04: Manage Continuity, these two
processes have the same value of 0.44. Both of these processes
have been implemented, but good outcomes from these two
processes have not been achieved. The good outcome for the
DSS02 is achieving increased productivity and minimizing
disruption through a quick resolution of user questions and
incidents. And for DSS04 it is to continue important business
operations and maintain the availability of information at a
level acceptable to the company in the event of a significant
disruption [13].
Fig. 5. DSS Domain Results
E. MEA domain Results (Monitor, Evaluate, Assess)
Domain MEA monitors all processes to ensure that the
directions provided are followed. All IT processes must be
regularly assessed from time to time for their quality and
compliance with control requirements. This domain addresses
performance management, monitoring internal controls,
compliance with regulations and governance [15].
Based on the results of the mapping in the previous
section, the process examined in this domain is only 1,
MEA01: Monitor, Evaluate and Assess Performance and
Conformance. The result of achieving this process is 0.37
which means that the process has been implemented but most
of the process outcomes have not been achieved. The outcome
of this process is to provide transparent and appropriate
performance and achieving organizational goals.
IV. CONCLUSION
The researcher found that basically to provide IT
services that are in line with business requirements, XYZ
universities have implemented various processes but some of
these processes have not been implemented maximally. XYZ
universities still do not have a good IT governance system, IT
strategies are still not or less aligned with organizational
strategies, and IT Business Continuity Plan (BCP) related to
IT is not or less developed. As a result, the optimal value of
the investment cannot or is not felt by both the XYZ university
and the customer. There is no IT Service Level Agreement
(SLA) that has an impact on the provision of services and the
level of IT-related services that are chaotic, does not meet the
needs of today's organizations. In addition, there is no standard
applied for monitoring, the metric used to measure the
performance of the IT Dept. at XYZ university has not been
developed. Nevertheless, stakeholders from the XYZ
university already feel quite satisfied with the quality of the IT
services provided.
On the other hand, operational services are provided
by the IT Dept. XYZ University has gone according to the
plan. Operational activities are carried out as needed and
scheduled. As a result, most IT related services are available
for use. IT related problems are resolved so that the problem
Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 19,2021 at 05:52:47 UTC from IEEE Xplore. Restrictions apply.
does not recur. Reporting (related to IT) to stakeholders has
been quite good, this is evidenced by the existence of a
transparent accountability report, which was made by the IT
Dept. XYZ University to stakeholders.
Measuring the level of IT governance capabilities at
XYZ University is done using the COBIT 5.0 framework
which includes every domain (EDM, APO, BAI, DSS, &
MEA). Measurement starts from mapping the organization's
vision and mission into COBIT 5.0 processes. From the results
of the mapping, 18 selected processes were obtained. Data
collection is done by observing and distributing
questionnaires to related parties.
Overall, IT governance at XYZ University is at the
level of capability level 0 (Incomplete Process), with an
average value of 0.5. The domain that gets the highest score is
the DSS domain of 0.57 and the domain that reaches the
lowest value is the MEA domain of 0.37.
Based on the results of the research conducted,
researchers have several suggestions that can be considered by
XYZ universities to improve IT governance: 1) The domain
with achieving the lowest value is expected to immediately
make improvements first and pay more attention to achieving
the expected goals; 2) Conduct continuous evaluations to
improve IT governance that refers to the COBIT standard 5.
REFERENCES
[1] H. Setiawan and K. Mustofa, “Metode Audit Tata Kelola Teknologi
Informasi di Instansi Pemerintah Indonesia,” IPTEK-KOM, vol. 15,
no. 1, Jun. 2013.
[2] I. E. Kaban, “Tata Kelola Teknologi Informasi (IT
Governance),” CommIT (Communication and Information
Technology) Journal, vol. 3, no. 1, p. 1, 2009.
[3] H.T. Sukmana, L.K. Wardhani, S. Khairunnisa, K.O. Lee, R. Wati
"ITSM Software Ranking for Small Medium Enterprises Based on
ITIL V3 Quick Win Criteria using Fuzzy SIR Method", Advances in
Science, Technology and Engineering Systems Journal, vol. 4, no. 2,
pp. 288-298 (2019).
[4] “COBIT: Control Objectives for Information Technologies,” ISACA.
[Online]. Available: http://www.isaca.org/COBIT/Pages/FAQs.aspx.
[Accessed: 13-Jul-2020].
[5] ISACA, COBIT 5: a business framework for the governance and
management of enterprise IT. Rolling Meadows, IL.: ISACA, 2012.
[6] N. F. Saragih, C. Sagala, I. S. Dumayanti, I. K. Jaya, E. Rajagukguk,
and A. Gea, “Evaluation of Employee Attendance System Using
COBIT 5 Framework,” 2019 International Conference of Computer
Science and Information Technology (ICoSNIKOM), 2019.
[7] Sandfreni and F. Adikara, "Capability level assessment of IT
governance in PTP Mitra Ogan: COBIT 5 framework for BAI 04
process," 2017 4th International Conference on Computer Applications
and Information Processing Technology (CAIPT), Kuta Bali, 2017, pp.
1-5.
[8] I. K. Nisrina, I. J. Matheus Edward and W. Shalannanda, "IT
governance framework planning based on COBIT 5 case study:
secured internet service provider company: Case Study: Secured
internet service provider company," 2016 2nd International Conference
on Wireless and Telematics (ICWT), Yogyakarta, 2016, pp. 51-56.
[9] B. Widjajanto, D. Agustini Santoso and N. Riiati, "Alignment Model
of Quality Assurance System of Higher Education And Performance
Measurement Based on on Framework CobiT 5," 2018 International
Seminar on Application for Technology of Information and
Communication, Semarang, 2018, pp. 207-213.
[10] F. Hamidi, M. Meshkat, M. Rezaee, and M. Jafari, “Information
technology in education,” Procedia Computer Science, vol. 3, pp. 369–
373, 2011.
[11] F. Ajismanto, “Analisis Domain Proses COBIT Framework 5 Pada
Sistem Informasi Worksheet (Studi Kasus: Perguruan Tinggi STMIK,
Politeknik Palcomtech),” CogITo Smart Journal, vol. 3, no. 2, p. 207,
2018.
[12] Y. Herdiana, “COBIT Self-Assessment Guide Using COBIT
5,” Academia.edu - Share research. [Online]. Available:
[13] https://www.academia.edu/8546156/COBIT_Self_Assessment_Guide
_Using_COBIT_5. [Accessed: 13-Jul-2020].
[14] ISACA, COBIT 5: enabling processes, Rolling Meadows, IL.: ISACA,
2012.
[15] J. Y. Mambu, J. Rewah, A. C. Iskak, and O. N. Sigarlaki, “Evaluasi
Sistem Informasi Universitas Klabat Menggunakan Framework
COBIT 5.0 Pada Domain MEA,” CogITo Smart Journal, vol. 5, no. 2,
p. 181, 2019.
[16] COBIT 5: Process Assessment Model (PAM): using COBIT 5. Rolling
Meadows, IL.: ISACA, 2013.

Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 19,2021 at 05:52:47 UTC from IEEE Xplore. Restrictions apply.