Performance Measurement of IT Based on COBIT Assessment: A …aisindo.org/wp-content/uploads/2019/10/6.2-Performance... · 2019. 10. 6. · Performance Measurement of IT Based on

Association for Information Systems – Indonesia chapter (AISINDO)

1

Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017) ISSN: 2460 – 6839

Performance Measurement of IT Based on COBIT Assessment: A Case Study

Johanes Fernandes Andry*1, Henny Hartono2

1,2Faculty Technology and Design, Bunda Mulia University Jl. Lodan Raya No. 2 Ancol, North Jakarta 14430

e-mail: *[email protected], [email protected]

Abstrak

Perusahaan telah menerapkan Teknologi Informasi (TI). Organisasi yang berorientasi pada bisnis menjalani berbagai jenis audit untuk tujuan yang berbeda. Audit TI berfokus pada aspek berbasis komputer dari sistem informasi organisasi dan menggunakan sistem tingkat teknologi modern yang signifikan. Tujuan dari penelitian ini adalah untuk mendapatkan gambaran umum mengenai kinerja tata kelola teknologi informasi untuk mengetahui tingkat kematangan dalam perusahaan yang saat ini berjalan, dengan beberapa aspek yang perlu diperhatikan seperti efektivitas, efisiensi, unit fungsional informasi teknologi dalam sebuah organisasi. Menerapkan tata kelola TI, bagaimanapun, adalah tantangan bagi organisasi. Untuk memastikan keselarasan TI dengan tujuan bisnis menggunakan standar COBIT. Alat analisis yang digunakan adalah prosedur standar COBIT yang dikeluarkan oleh ISACA. Dalam tulisan ini metode yang akan digunakan adalah COBIT 4.1. Domain PO dipilih untuk memberikan pendekatan yang detil dan komprehensif kepada manajemen yang konsisten untuk memungkinkan memenuhi persyaratan tata kelola perusahaan. Jenis penelitian ini penting bagi perusahaan untuk mengambil manfaat dari penerapan konsep di atas dalam rangka meningkatkan kinerja. Hasil tingkat kematangan tata kelola IT dalam domain Plan and Organize (PO), rata-rata berada di 1,9 (Initial) sampai 3.1 (Defined).

Kata kunci: Kinerja, COBIT, Tingkat Kematangan.

Abstract

Company has implemented Information Technology (IT). Business organizations undergo different types of audits for different purposes. An IT audit focuses on the computer-based aspects of an organization’s information system and modern systems employ significant levels of technology. The purpose of this research is to get an overview of the performance of information technology governance in order to determine the extent of maturity level in the company which is currently running, with a few aspects to consider such as effectiveness, efficiency, functional unit of information technology within an organization. Implementing IT governance, however, is a challenge to organizations. To ensure IT alignment with business goals use standard COBIT. The analytical tool used is the standard procedure COBIT issued by ISACA. In this paper the method to be used is COBIT 4.1. The PO domain is


2


selected to provide a consistent and detailed approach to consistent management to enable compliance with corporate governance requirements. This kind of research is important for company to take benefits from implementation of the above concepts in order to increase performance. Result maturity level of IT Governance in domain Plan and Organize (PO), average were at 1.9 (Initial) until 3.1 (Defined).

Keywords: Performance, COBIT, Maturity Level.

INTRODUCTION

Information technology (IT) has been a backbone of business in recent years, its investment has increased [1]. Nowadays, companies that have implemented information system and information technology are becoming critical role player for any organization to achieve its goals and become a winner in this globalization and competition era [2]. Information technologies (IT) have more and more impacts on companies’ revenue, making differences on their evolution function. Information Systems (IS) have become serious investments in front of world’s markets agility and exponential changing; and also have become one of the companies’ reliable assets to achieve business goals [3].

Organizations should adhere to IT governance practices which purpose is to ensure sustainable IT and to extend the organizations’ strategies and objectives [4]. Information technology governance essentially defined in literature as specification of decision-making structures, processes, and relational mechanisms for direction and control of IT operations, and is also identified as an organizational skill of great importance to strategic alignment, value delivery, risk management and IT resource [5]. IT governance refers to the patterns of authority for key IT activities in business firms, including IT infrastructure, IT use, and project management. IT governance determines who makes the IT-related decisions and assigns accountability for the outcomes. Effective governance aligns IT investments with overall business priorities [6]. IT governance arrangements encompass mechanisms that enable business and IT executives to formulate policies and procedures, implement them in specific applications, and monitor outcomes. Thus, governance arrangements include structural, process, and outcome metric dimensions [7]. Control Objectives for Information and Related Technology (COBIT) is a framework created by Information Systems Audit and Control Association (ISACA) for IT management and IT governance and is now extensively used by business. ISACA is a recognized as the worldwide leader in IT governance, control, security and assurance [8].

The purpose of this research is to get an overview of the performance of information technology governance in order to determine the extent of the


3


capabilities of information technology governance in the PT. Sukma Scientific Abadi (SCA) which is currently running, with a few aspects to consider such as: effectiveness, efficiency, functional unit of information technology within an organization, the data integrity, safeguarding assets, reliability, confidentiality, availability, and security. The benefit of this research is to determine the maturity level of information technology governance in the Company using COBIT 4.1.

2. RELEVANT THEORY

2.1 Performance Measurement

Before defining the performance measurement concept, it is worth discussing its components. First, the literature defines the term “performance” as the ability of an entity, such as a person, group or organization, to make results in relation to specific and determined objectives [9]. In addition, performance is an actual work or output produced by a specific unit or entity. To put it another way, the performance concept refers to the measurable achievements produced. Second, the term “measurement” indicates the ability and processes used to quantify and control specific activities and events [10].

Traditionally, the focus of performance measurement (PM) has been on financial measures only. By the late 1980s, studies had shown that historic financial data is not enough to satisfy the PM in the new economy because of the increasing complexity of organizations and the markets in which companies compete [11].

2.2 Control Objectives for Information and Related Technology (COBIT)

Control Objective for Information and Related Technology (COBIT) is the information technology governance framework, which applies to management, IT services, control department, audit functions, and more importantly the owners of the business process to ensure the accuracy, integrity, and availability of data and information which are important and sensitive. COBIT essentially is developed to meet the various needs of management by bridging the information gap between business risks, control, and technical problems. COBIT supports IT governance by providing a framework to establish the alignment of IT with the business [12].

COBIT has been proved to provide a successful framework for IT governance in a controlled environment. There are four major domains under which there are 34 top level control objectives and are listed below [13]:

a) Plan and Organize (PO),

b) Acquire and Implement (AI),

c) Deliver and Support (DS),


4


d) Monitor and Evaluate (ME).

In more detail, the overall COBIT framework can be shown graphically, as depicted in Figure 1.COBIT Framework, with COBIT’s process model of four domains containing 34 generic processes, managing the IT resources to deliver information to the business according to business and governance requirements.

Figure1. Framework COBIT 4.1 [14], [15], [16], [17]

2.3 Maturity Level

COBIT 4.1 uses a range of levels to assess the maturity, these levels are:

Tabel 1. COBIT 4.1 Maturity Level Assessment Criteria [8]

Maturity Index Maturity Level

0 – 0,50 0 – Non-existents

0,51 – 1,50 1 – Initial/ad hoc

1,51 – 2,50 2 – Repeatable but Intuitive

2,51 – 3,50 3 – Defined Process


5


3,51 – 4,50 4 – Managed and Measurable

4,51 – 5,00 5 – Optimized

3. RESEARCH METHODS

PT. Sukma Scientific Abadi, located in Jakarta. One of the companies engaged in the field of distributor & reseller of various kinds of laboratory chemicals and supplies. The company is also doing business by selling oil products and chemicals. Oil products are usually used for tire raw materials. While the material Chemicals sold to pharmaceuticals or textiles that require chemicals in their production processes.

This research uses literature study by conducting early survey by analyzing vision and mission, goals and objectives as well as the company's strategic plan as well as the strategies, policies related to the management of IT investments and field observations.

The analytical tool used in this study is the standard procedure COBIT issued by ISACA (Information systems Audit and Control Association) [8], where the data can be obtained by various methods, namely: Questionnaire; by distributing questionnaires to every department in the SCA Company. The respondents consist of 5 respondents from the top management and 35 respondents as representatives of every department in the SCA Company, so the overall total respondents obtained are 40.


6


Figure 2. Step by Step Performance Measurement

Reporting, after questionnaires were distributed, the collected data were processed to be calculated based on the maturity level calculation. The result of the audit contains the findings of the present (current maturity level) and hope in the future (expected maturity level). The next steps were to calculate the gap analysis in order to analyze the interpretation of the current and expected maturity level and to provide recommendation lists of the corrective actions to overcome gap to achieve the improvements in IT governance. The focus on this research is on PO domains only. Reason for only domain PO are provide a detailed and comprehensive approach to consistent management to enable fulfill the requirements of corporate governance can be met, covering the entire management process, corporate organizational structure, management roles and responsibilities, reliable and accountable activities in IT governance, as well as the skills and competencies of the resources.

4. RESULT AND ANALYSIS

Authors will analyze more to the environment that occur within the IT department SCA Company, from employees, equipment, physical security, regulations, etc, focused to domain PO.

Plan and Organize (PO)

In this stage the authors analyzed IT strategic planning that is required to manage and direct all IT resources in-line with the business strategy and priorities. The IT function and business stakeholders are responsible for ensuring that optimal value is realized from project and service portfolios. Expected maturity level of PO is Level 4, Managed and measurable.

4.1 PO1 Define a Strategic IT Plan

IT strategic planning is required to manage and direct all IT resources to be in-line with the business strategy and priorities. Management of the “Define a Strategic IT Plan” process that satisfies the business requirement for IT to sustain or extend the business strategy and governance requirements while being transparent about benefits, costs and risks is by devising IT strategic planning is shared with business management on an as-needed basis. The average of the PO1 processes were 2.1 that were in level 2 Repeatable but Intuitive.

Recommendations are undertake a discussion of development plans, procurement of new tools, or training of information technology staff specifically on business management findings and undertaking strategic planning of information


7


technology follows a structured and documented approach to all staff and develop an overall information technology strategy and analyze possible risks.

4.2 PO2 Define the Information Architecture

This process improves the quality of management decision-making by making sure that reliable and secure information is provided, and it enables rationalizing information systems resources to appropriately match business strategies. Management of the “Define the Information Architecture” process that satisfies the business requirement for IT of being agile in responding to requirements, to provide reliable and consistent information, and to seamlessly integrate applications into business processes is by developing tactical requirements that drives the development of information architecture components by individual staff members. The average of the PO2 processes were 2.2 that were in level 2 Repeatable but Intuitive.

Recommendations are conduct formal training, arrange training schedule. Compile one form of reporting form so that communication can be done consistently has reporting standards and documenting all procedures and tools so that there is no dependency on only one key expert.

4.3 PO3 Determine Technological Direction

The information services function determines the technology direction to support the business. This requires the creation of a technological infrastructure plan and an architecture board that sets and manages clear and realistic expectations of what technology can offer in terms of products, services, and delivery mechanisms. Management of the “Determine Technological Direction” process that satisfies the business requirement for IT of having stable, cost-effective, integrated and standard application systems, resources and capabilities that meet current and future business requirements is to devise a defined, documented and well-communicated technology infrastructure plan, but it is inconsistently applied. The average of the PO3 processes was 3.1 that were in level 3 Defined Process.

Recommendations are divisions of responsibilities between departments should be clear, documenting each task in each department and each individual and company must establish a qualified vendor selection standard and have a good portfolio for long-term cooperation purposes.

4.4 PO4 Define the IT Processes, Organization, and Relationships

Processes, administrative policies and procedures are in place for all functions, with specific attention to control, quality assurance, risk management,


8


information security, data and systems ownership, and segregation of duties. Management of the “Define the IT Processes, Organization and Relationships” process that satisfies the business requirement for IT of being agile in responding to the business strategy whilst complying with governance requirements and providing defined and competent points of contact is to define and implement the division of roles and responsibilities. The average of the PO4 processes was 3.1 that were in level 3 Defined Process.

Recommendations are clearly define roles and responsibilities. Divide the task so that it does not accumulate on one individual, establish a steering committee and establish internal audit and vendor management. Internal auditing can be selected from people who have been experienced in the company, assisted by expert staff in their respective fields.

4.5 PO5 Manage the IT Investment

Stakeholders are consulted to identify and control the total costs and to manage the IT investment that satisfies the business requirement for IT to continuously and demonstrably improve IT’s cost-efficiency and its contribution to business profitability with integrated and standardized services that satisfy end-user expectations is by defining, documenting, and communicating policies and processes for investment and budgeting, and by covering key business and technology issues. The IT budget is aligned with the strategic IT and business plans. The average of the PO5 processes was 3.0 that were in level 3 Defined Process.

Recommendations are establish an information technology performance measurement framework and monitor performance by recording targets, summarize information technology performance reviews and incorporate into the company's monitoring system, make improvements based on performance monitoring.

4.6 PO6 Communicate Management Aims and Direction

The communication supports achievement of IT objectives and ensures awareness and understanding of business and IT risks, objectives, and direction. The process ensures compliance with relevant laws and regulations. Management of the “Communicate Management Aims and Direction” process that satisfies the business requirement for IT of supplying accurate and timely information on current and future IT services and associated risks and responsibilities is to make sure that the needs and requirements of an effective information control environment are implicitly understood by management, but practices are largely informal. The average of the PO6 processes were 2.1 that were in level 2 Repeatable but Intuitive.


9


Recommendations are Establish formal control of each policy and activity, methodologies and tools for monitoring internal controls are used, and should be planned and documented and internal control responsibilities may be submitted or represented to other staff accompanying the expert, so that the controls are not focused on one person.

4.7 PO7 Manage IT Human Resources

A competent workforce is acquired and maintained for the creation and delivery of IT services to the business. This is achieved by following defined and agreed-upon practices supporting recruiting, training, evaluating performance, promoting and terminating. Management of the “Manage IT Human Resources” process that satisfies the business requirement for IT of acquiring competent and motivated people to create and deliver IT services is to deploy a tactical approach to hire and manage IT personnel, driven by project-specific needs, rather than by understanding balance of internal and external availability of skilled staff. Informal training takes place for new personnel, who then receive training on an as-required basis. The average of the PO7 processes were 2.2 that were in level 2 Repeatable but Intuitive.

Recommendations are review and adjust the information technology policy in accordance with standard contract procedures and all meet the legal requirements. Investigate local and international laws, regulations and requirements that organizations and information technology must meet and apply all applicable laws on all information technology uses. Provide legal knowledge and regulations and other external requirements to all staff.

4.8 PO8 Manage Quality

Quality requirements are stated and communicated in quantifiable and achievable indicators. Continuous improvement is achieved by ongoing monitoring, analysis, and acting upon deviations, and communicating results to stakeholders. Management of the “Manage Quality” process that satisfies the business requirement for IT to ensure continuous and measurable improvement of the quality of IT services delivered is by defining basic quality expectations and shares them among projects and within the IT organization. The average of the PO8 processes were 2.9 that were in level 2 Repeatable but Intuitive.

Recommendations are regularly evaluating information technology investments, managing the portfolio determine which parts should be developed. Prepare cost optimization well for example information technology spending plan set, business goal set and planned how big information technology can support


10


business from result of goal will be evaluated again function of information technology in supporting business.

4.9 PO9 Assess and Manage IT Risks

A risk management framework is created and maintained. The framework documents a common and agreed-upon level of IT risks, mitigation strategies, and residual risks. Management of the “Assess and Manage IT Risks” process that satisfies the business requirement for IT of analyzing and communicating IT risks and their potential impact on business processes and goals is by considering IT risks in an ad hoc manner. Informal assessments of project risk take place as determined by each project. Risk assessments are sometimes identified in a project plan but are rarely assigned to specific managers. The average of the PO9 processes were 1.9 that were in level 1 Initial / Ad Hoc.

Recommendations are management should establish risk management training for all staff. Training can be done by experienced IT managers to other staff. Prioritize and plan monitoring activities at all levels to carry out risk identification, including costs. Report any irregularities to senior management and staff are given provisions to find out the initial characteristics of the problem so that early risk handling can be done.

4.10 PO10 Manage Projects

This approach reduces the risk of unexpected costs and project cancellations, improves communications and involvement of business and end users, ensures the value and quality of project deliverables, and maximizes their contribution to IT-enabled investment programmers. Management of the “Manage Projects” process that satisfies the business requirement for IT of ensuring the delivery of project results within agreed-upon time frames, budget, and quality is that the senior management gains and communicates an awareness of the need for IT project management. The average of the P10 processes were 2.3 that were in level 2 Repeatable but Intuitive.

Recommendations are establish appropriate responsibility, authority and criteria for one project leader to supervise each team member and project is submitted to the project developer and communicated to all stakeholders, assessing each phase. All sub domain PO can see table 2.


11


Tabel 2. Maturity Level Domain Plan and Organize

Maturity Level Domain Plan and Organize

No. Sub Domain Current

PO1 Define a Strategic IT Plan 2.1

PO2 Define the Information Architecture 2.2

PO3 Determine Technological Direction 3.1

PO4 Define the IT Processes, Organization, and Relationships 3.1

PO5 Manage the IT Investment 3.0

PO6 Communicate Management Aims and Direction 2.1

PO7 Manage IT Human Resources 2.2

PO8 Manage Quality 2.9

PO9 Assess and Manage IT Risks 1.9

PO10 Manage Projects 2.3

5. CONCLUSION

Organizations should take into considerations the importance of IT governance and its aspects such as: effectiveness, efficiency, functional unit of information technology, the data integrity, safeguarding assets, reliability, confidentiality, availability, and security in enhancing their performance. The results of this research proved that the maturity level for the SCA Company based on Plan and Organize domain average was at 1.9 (Initial) until 3.1 (Defined). This means that controls are implemented but not documented, since they depend on the knowledge and motivation of individuals. The employees may not be aware of their responsibilities. The authors hope that these findings will be useful to others in the IT Governance field using COBIT 4.1.

REFERENCES


12


[1] Preittigun, A., Chantatub, W., Vatanasakdakul, S., 2012, A Comparison between IT Governance Research and Concepts in COBIT 5, International Journal of Research in Management & Technology, Vol. 2, No.6, pp. 581-590.

[2] Harwikarya, Sadikin, M., Fitrianah, D., Sarinanto, M. M., Nurhaida, I., and Dwiyanto, A. R., 2015, IS Strategic Plan for Higher Education Based on COBIT Assessment: A Case Study, International Journal of Information and Education Technology, Vol. 5, No. 8, pp. 629-633.

[3] Meriyem, C., Adil, S., and Hicham, M., 2015, IT Governance Ontology Building Process: Example of developing Audit Ontology, International Journal of Computer Techniques, Vol. 2, Issue 1, pp. 134-141.

[4] Marewick, C., and Labuschagne, L., 2011, An Investigation Into The Governance of Information Technology Projects in South Africa, International Journal of Project Management, Vol. 29, No. 6, pp. 661-670.

[5] Bermejo, P. H. S., Tonelli, A. O., Zambalde, A. L., Brito, M. J., and Todesco, J. L., 2012, Implementation of information technology (IT) governance through IT strategic planning, African Journal of Business Management, Vol.6 , pp. 11179-11189.

[6] Latif, A. A., and Hanifi, N., 2013, Analyzing IT Function Using COBIT 4.1 A Case Study of Malaysian Private University, Journal of Economics, Business and Management, Vol. 1, No. 4, pp. 406-408.

[7] Bowen, P. L., Cheung, M. Y. D., and Rohde, F. H., 2007, Enhancing IT governance practices: A model and case study of an organization's efforts, International Journal of Accounting Information Systems, Vol. 8, pp. 191–221.

[8] Pasquini, A., 2013, COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process, Proceedings of FIKUSZ ’13 Symposium for Young Researchers, pp. 67-76.

[9] Wraikat, M. M., 2010, Information Technology Governance Role in Enhancing Performance: A Case Study on Jordan Public Sector, Proceedings of the World Congress on Engineering and Computer Science, Vol 1.

[10]Zeglat, D., AlRawabdeh, W., Almadi, F., and Shrafat, F., 2012, Performance Measurements Systems: Stages of Development Leading to Success, Interdisciplinary Journal of Contemporary Research in Business, Vol. 4, No. 7, pp. 440-448.


13


[11]Striteska, M., and Spickova, M., 2012, Review and Comparison of Performance Measurement Systems, Journal of Organizational Management Studies, pp. 1-13.

[12]Tanuwijaya, H., and Sarno, R., 2010, Comparation of CobiT Maturity Model and Structural Equation Model for Measuring the Alignment between University Academic Regulations and Information Technology Goals, International Journal of Computer Science and Network Security, Vol.10, No.6, pp. 80-92.

[13]Yousif, S. T., and Sulaiman, H., 2015, Conceptual Framework for Successful IT-Governance for E-Government Services, The 3rd National Graduate Conference, pp. 302-307.

[14]Andry, J. F., 2016, Audit Tata Kelola TI Menggunakan Kerangka Kerja COBIT Pada Domain DS dan ME Di Perusahaan Kreavi Informatika Solusindo, Seminar Nasional Teknologi Informasi dan Komunikasi 2016 (SENTIKA 2016) ISSN: 2089-9815, Yogyakarta.

[15]Andry, J. F., 2016, Audit Sistem Informasi Sumber Daya Manusia Pada Training Center Di Jakarta Menggunakan Framework Cobit 4.1, Jurnal Ilmiah FIFO, Vol. VIII, No.1, pp. 28-34.

[16]Andry, J. F., 2017, Audit Sistem Informasi Absensi Pada Pt. Bank Central Asia Tbk Menggunakan Cobit 4.1, Jurnal Teknik Informatika dan Sistem Informasi, Volume 3, Nomor 2, Agustus, e-ISSN : 2443-2229.

[17]IT Governance Institute, 2007, COBIT 4.1 Framework, Control Objective, Management Guidelines, Maturity Models, Rolling Meadows, IL 60008 USA: ITGI, Available: http://www.isaca.org.

Documents

Performance Measurement of IT Based on COBIT Assessment: A …aisindo.org/wp-content/uploads/2019/10/6.2-Performance... · 2019. 10. 6. · Performance Measurement of IT Based on