Performance Measurement of IT Based on COBIT Assessment: A Case Study
Association for Information Systems – Indonesia chapter (AISINDO)
1
Performance Measurement of IT Based on COBIT Assessment: A
Case Study
Johanes Fernandes Andry*1, Henny Hartono2
1,2
Faculty Technology and Design, Bunda Mulia University
Jl. Lodan Raya No. 2 Ancol, North Jakarta 14430
e-mail: *1jandry@bundamulia.ac.id, 2hhartono@bundamulia.ac.id
Abstrak
Perusahaan telah menerapkan Teknologi Informasi (TI). Organisasi yang berorientasi
pada bisnis menjalani berbagai jenis audit untuk tujuan yang berbeda. Audit TI berfokus
pada aspek berbasis komputer dari sistem informasi organisasi dan menggunakan sistem
tingkat teknologi modern yang signifikan. Tujuan dari penelitian ini adalah untuk
mendapatkan gambaran umum mengenai kinerja tata kelola teknologi informasi untuk
mengetahui tingkat kematangan dalam perusahaan yang saat ini berjalan, dengan beberapa
aspek yang perlu diperhatikan seperti efektivitas, efisiensi, unit fungsional informasi
teknologi dalam sebuah organisasi. Menerapkan tata kelola TI, bagaimanapun, adalah
tantangan bagi organisasi. Untuk memastikan keselarasan TI dengan tujuan bisnis
menggunakan standar COBIT. Alat analisis yang digunakan adalah prosedur standar COBIT
yang dikeluarkan oleh ISACA. Dalam tulisan ini metode yang akan digunakan adalah COBIT
4.1. Domain PO dipilih untuk memberikan pendekatan yang detil dan komprehensif kepada
manajemen yang konsisten untuk memungkinkan memenuhi persyaratan tata kelola
perusahaan. Jenis penelitian ini penting bagi perusahaan untuk mengambil manfaat dari
penerapan konsep di atas dalam rangka meningkatkan kinerja. Hasil tingkat kematangan
tata kelola IT dalam domain Plan and Organize (PO), rata-rata berada di 1,9 (Initial) sampai
3.1 (Defined).
Kata kunci: Kinerja, COBIT, Tingkat Kematangan.
Abstract
Company has implemented Information Technology (IT). Business
organizations undergo different types of audits for different purposes. An IT audit
focuses on the computer-based aspects of an organization’s information system and
modern systems employ significant levels of technology. The purpose of this research
is to get an overview of the performance of information technology governance in
order to determine the extent of maturity level in the company which is currently
running, with a few aspects to consider such as effectiveness, efficiency, functional
unit of information technology within an organization. Implementing IT governance,
however, is a challenge to organizations. To ensure IT alignment with business goals
use standard COBIT. The analytical tool used is the standard procedure COBIT issued
by ISACA. In this paper the method to be used is COBIT 4.1. The PO domain is
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
2
selected to provide a consistent and detailed approach to consistent management to
enable compliance with corporate governance requirements. This kind of research is
important for company to take benefits from implementation of the above concepts
in order to increase performance. Result maturity level of IT Governance in domain
Plan and Organize (PO), average were at 1.9 (Initial) until 3.1 (Defined).
Keywords: Performance, COBIT, Maturity Level.
INTRODUCTION
Information technology (IT) has been a backbone of business in recent years,
its investment has increased [1]. Nowadays, companies that have implemented
information system and information technology are becoming critical role player for
any organization to achieve its goals and become a winner in this globalization and
competition era [2]. Information technologies (IT) have more and more impacts on
companies’ revenue, making differences on their evolution function. Information
Systems (IS) have become serious investments in front of world’s markets agility and
exponential changing; and also have become one of the companies’ reliable assets
to achieve business goals [3].
Organizations should adhere to IT governance practices which purpose is
to ensure sustainable IT and to extend the organizations’ strategies and objectives
[4]. Information technology governance essentially defined in literature as
specification of decision-making structures, processes, and relational mechanisms
for direction and control of IT operations, and is also identified as an organizational
skill of great importance to strategic alignment, value delivery, risk management and
IT resource [5]. IT governance refers to the patterns of authority for key IT activities
in business firms, including IT infrastructure, IT use, and project management. IT
governance determines who makes the IT-related decisions and assigns
accountability for the outcomes. Effective governance aligns IT investments with
overall business priorities [6]. IT governance arrangements encompass mechanisms
that enable business and IT executives to formulate policies and procedures,
implement them in specific applications, and monitor outcomes. Thus, governance
arrangements include structural, process, and outcome metric dimensions [7].
Control Objectives for Information and Related Technology (COBIT) is a framework
created by Information Systems Audit and Control Association (ISACA) for IT
management and IT governance and is now extensively used by business. ISACA is a
recognized as the worldwide leader in IT governance, control, security and
assurance [8].
The purpose of this research is to get an overview of the performance of
information technology governance in order to determine the extent of the
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
3
capabilities of information technology governance in the PT. Sukma Scientific Abadi
(SCA) which is currently running, with a few aspects to consider such as:
effectiveness, efficiency, functional unit of information technology within an
organization, the data integrity, safeguarding assets, reliability, confidentiality,
availability, and security. The benefit of this research is to determine the maturity
level of information technology governance in the Company using COBIT 4.1.
2. RELEVANT THEORY
2.1 Performance Measurement
Before defining the performance measurement concept, it is worth
discussing its components. First, the literature defines the term “performance” as
the ability of an entity, such as a person, group or organization, to make results in
relation to specific and determined objectives [9]. In addition, performance is an
actual work or output produced by a specific unit or entity. To put it another way,
the performance concept refers to the measurable achievements produced. Second,
the term “measurement” indicates the ability and processes used to quantify and
control specific activities and events [10].
Traditionally, the focus of performance measurement (PM) has been on
financial measures only. By the late 1980s, studies had shown that historic financial
data is not enough to satisfy the PM in the new economy because of the increasing
complexity of organizations and the markets in which companies compete [11].
2.2 Control Objectives for Information and Related Technology (COBIT)
Control Objective for Information and Related Technology (COBIT) is the
information technology governance framework, which applies to management, IT
services, control department, audit functions, and more importantly the owners of
the business process to ensure the accuracy, integrity, and availability of data and
information which are important and sensitive. COBIT essentially is developed to
meet the various needs of management by bridging the information gap between
business risks, control, and technical problems. COBIT supports IT governance by
providing a framework to establish the alignment of IT with the business [12].
COBIT has been proved to provide a successful framework for IT
governance in a controlled environment. There are four major domains under which
there are 34 top level control objectives and are listed below [13]:
a) Plan and Organize (PO),
b) Acquire and Implement (AI),
c) Deliver and Support (DS),
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
4
d) Monitor and Evaluate (ME).
In more detail, the overall COBIT framework can be shown graphically, as
depicted in Figure 1.COBIT Framework, with COBIT’s process model of four domains
containing 34 generic processes, managing the IT resources to deliver information to
the business according to business and governance requirements.
Figure1. Framework COBIT 4.1 [14], [15], [16], [17]
2.3 Maturity Level
COBIT 4.1 uses a range of levels to assess the maturity, these levels are:
Tabel 1. COBIT 4.1 Maturity Level Assessment Criteria [8]
Maturity Index
Maturity Level
0 – 0,50
0 – Non-existents
0,51 – 1,50
1 – Initial/ad hoc
1,51 – 2,50
2 – Repeatable but Intuitive
2,51 – 3,50
3 – Defined Process
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
5
3,51 – 4,50
4 – Managed and Measurable
4,51 – 5,00
5 – Optimized
3. RESEARCH METHODS
PT. Sukma Scientific Abadi, located in Jakarta. One of the companies engaged
in the field of distributor & reseller of various kinds of laboratory chemicals and
supplies. The company is also doing business by selling oil products and chemicals.
Oil products are usually used for tire raw materials. While the material Chemicals
sold to pharmaceuticals or textiles that require chemicals in their production
processes.
This research uses literature study by conducting early survey by analyzing
vision and mission, goals and objectives as well as the company's strategic plan as
well as the strategies, policies related to the management of IT investments and
field observations.
The analytical tool used in this study is the standard procedure COBIT issued
by ISACA (Information systems Audit and Control Association) [8], where the data
can be obtained by various methods, namely: Questionnaire; by distributing
questionnaires to every department in the SCA Company. The respondents consist
of 5 respondents from the top management and 35 respondents as representatives
of every department in the SCA Company, so the overall total respondents obtained
are 40.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
6
Figure 2. Step by Step Performance Measurement
Reporting, after questionnaires were distributed, the collected data were
processed to be calculated based on the maturity level calculation. The result of the
audit contains the findings of the present (current maturity level) and hope in the
future (expected maturity level). The next steps were to calculate the gap analysis in
order to analyze the interpretation of the current and expected maturity level and
to provide recommendation lists of the corrective actions to overcome gap to
achieve the improvements in IT governance. The focus on this research is on PO
domains only. Reason for only domain PO are provide a detailed and comprehensive
approach to consistent management to enable fulfill the requirements of corporate
governance can be met, covering the entire management process, corporate
organizational structure, management roles and responsibilities, reliable and
accountable activities in IT governance, as well as the skills and competencies of the
resources.
4. RESULT AND ANALYSIS
Authors will analyze more to the environment that occur within the IT
department SCA Company, from employees, equipment, physical security,
regulations, etc, focused to domain PO.
Plan and Organize (PO)
In this stage the authors analyzed IT strategic planning that is required to
manage and direct all IT resources in-line with the business strategy and priorities.
The IT function and business stakeholders are responsible for ensuring that optimal
value is realized from project and service portfolios. Expected maturity level of PO is
Level 4, Managed and measurable.
4.1 PO1 Define a Strategic IT Plan
IT strategic planning is required to manage and direct all IT resources to be
in-line with the business strategy and priorities. Management of the “Define a
Strategic IT Plan” process that satisfies the business requirement for IT to sustain or
extend the business strategy and governance requirements while being transparent
about benefits, costs and risks is by devising IT strategic planning is shared with
business management on an as-needed basis. The average of the PO1 processes
were 2.1 that were in level 2 Repeatable but Intuitive.
Recommendations are undertake a discussion of development plans,
procurement of new tools, or training of information technology staff specifically on
business management findings and undertaking strategic planning of information
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
7
technology follows a structured and documented approach to all staff and develop
an overall information technology strategy and analyze possible risks.
4.2 PO2 Define the Information Architecture
This process improves the quality of management decision-making by
making sure that reliable and secure information is provided, and it enables
rationalizing information systems resources to appropriately match business
strategies. Management of the “Define the Information Architecture” process that
satisfies the business requirement for IT of being agile in responding to
requirements, to provide reliable and consistent information, and to seamlessly
integrate applications into business processes is by developing tactical requirements
that drives the development of information architecture components by individual
staff members. The average of the PO2 processes were 2.2 that were in level 2
Repeatable but Intuitive.
Recommendations are conduct formal training, arrange training schedule. Compile
one form of reporting form so that communication can be done consistently has
reporting standards and documenting all procedures and tools so that there is no
dependency on only one key expert.
4.3 PO3 Determine Technological Direction
The information services function determines the technology direction to
support the business. This requires the creation of a technological infrastructure
plan and an architecture board that sets and manages clear and realistic
expectations of what technology can offer in terms of products, services, and
delivery mechanisms. Management of the “Determine Technological Direction”
process that satisfies the business requirement for IT of having stable, cost-effective,
integrated and standard application systems, resources and capabilities that meet
current and future business requirements is to devise a defined, documented and
well-communicated technology infrastructure plan, but it is inconsistently applied.
The average of the PO3 processes was 3.1 that were in level 3 Defined Process.
Recommendations are divisions of responsibilities between departments
should be clear, documenting each task in each department and each individual and
company must establish a qualified vendor selection standard and have a good
portfolio for long-term cooperation purposes.
4.4 PO4 Define the IT Processes, Organization, and Relationships
Processes, administrative policies and procedures are in place for all
functions, with specific attention to control, quality assurance, risk management,
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
8
information security, data and systems ownership, and segregation of duties.
Management of the “Define the IT Processes, Organization and Relationships”
process that satisfies the business requirement for IT of being agile in responding to
the business strategy whilst complying with governance requirements and providing
defined and competent points of contact is to define and implement the division of
roles and responsibilities. The average of the PO4 processes was 3.1 that were in
level 3 Defined Process.
Recommendations are clearly define roles and responsibilities. Divide the
task so that it does not accumulate on one individual, establish a steering committee
and establish internal audit and vendor management. Internal auditing can be
selected from people who have been experienced in the company, assisted by
expert staff in their respective fields.
4.5 PO5 Manage the IT Investment
Stakeholders are consulted to identify and control the total costs and to
manage the IT investment that satisfies the business requirement for IT to
continuously and demonstrably improve IT’s cost-efficiency and its contribution to
business profitability with integrated and standardized services that satisfy end-user
expectations is by defining, documenting, and communicating policies and processes
for investment and budgeting, and by covering key business and technology issues.
The IT budget is aligned with the strategic IT and business plans. The average of the
PO5 processes was 3.0 that were in level 3 Defined Process.
Recommendations are establish an information technology performance
measurement framework and monitor performance by recording targets,
summarize information technology performance reviews and incorporate into the
company's monitoring system, make improvements based on performance
monitoring.
4.6 PO6 Communicate Management Aims and Direction
The communication supports achievement of IT objectives and ensures
awareness and understanding of business and IT risks, objectives, and direction. The
process ensures compliance with relevant laws and regulations. Management of the
“Communicate Management Aims and Direction” process that satisfies the business
requirement for IT of supplying accurate and timely information on current and
future IT services and associated risks and responsibilities is to make sure that the
needs and requirements of an effective information control environment are
implicitly understood by management, but practices are largely informal. The
average of the PO6 processes were 2.1 that were in level 2 Repeatable but Intuitive.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
9
Recommendations are Establish formal control of each policy and activity,
methodologies and tools for monitoring internal controls are used, and should be
planned and documented and internal control responsibilities may be submitted or
represented to other staff accompanying the expert, so that the controls are not
focused on one person.
4.7 PO7 Manage IT Human Resources
A competent workforce is acquired and maintained for the creation and
delivery of IT services to the business. This is achieved by following defined and
agreed-upon practices supporting recruiting, training, evaluating performance,
promoting and terminating. Management of the “Manage IT Human Resources”
process that satisfies the business requirement for IT of acquiring competent and
motivated people to create and deliver IT services is to deploy a tactical approach to
hire and manage IT personnel, driven by project-specific needs, rather than by
understanding balance of internal and external availability of skilled staff. Informal
training takes place for new personnel, who then receive training on an as-required
basis. The average of the PO7 processes were 2.2 that were in level 2 Repeatable
but Intuitive.
Recommendations are review and adjust the information technology policy
in accordance with standard contract procedures and all meet the legal
requirements. Investigate local and international laws, regulations and requirements
that organizations and information technology must meet and apply all applicable
laws on all information technology uses. Provide legal knowledge and regulations
and other external requirements to all staff.
4.8 PO8 Manage Quality
Quality requirements are stated and communicated in quantifiable and
achievable indicators. Continuous improvement is achieved by ongoing monitoring,
analysis, and acting upon deviations, and communicating results to stakeholders.
Management of the “Manage Quality” process that satisfies the business
requirement for IT to ensure continuous and measurable improvement of the
quality of IT services delivered is by defining basic quality expectations and shares
them among projects and within the IT organization. The average of the PO8
processes were 2.9 that were in level 2 Repeatable but Intuitive.
Recommendations are regularly evaluating information technology
investments, managing the portfolio determine which parts should be developed.
Prepare cost optimization well for example information technology spending plan
set, business goal set and planned how big information technology can support
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
10
business from result of goal will be evaluated again function of information
technology in supporting business.
4.9 PO9 Assess and Manage IT Risks
A risk management framework is created and maintained. The framework
documents a common and agreed-upon level of IT risks, mitigation strategies, and
residual risks. Management of the “Assess and Manage IT Risks” process that
satisfies the business requirement for IT of analyzing and communicating IT risks and
their potential impact on business processes and goals is by considering IT risks in an
ad hoc manner. Informal assessments of project risk take place as determined by
each project. Risk assessments are sometimes identified in a project plan but are
rarely assigned to specific managers. The average of the PO9 processes were 1.9
that were in level 1 Initial / Ad Hoc.
Recommendations are management should establish risk management
training for all staff. Training can be done by experienced IT managers to other staff.
Prioritize and plan monitoring activities at all levels to carry out risk identification,
including costs. Report any irregularities to senior management and staff are given
provisions to find out the initial characteristics of the problem so that early risk
handling can be done.
4.10 PO10 Manage Projects
This approach reduces the risk of unexpected costs and project cancellations,
improves communications and involvement of business and end users, ensures the
value and quality of project deliverables, and maximizes their contribution to ITenabled investment programmers. Management of the “Manage Projects” process
that satisfies the business requirement for IT of ensuring the delivery of project
results within agreed-upon time frames, budget, and quality is that the senior
management gains and communicates an awareness of the need for IT project
management. The average of the P10 processes were 2.3 that were in level 2
Repeatable but Intuitive.
Recommendations are establish appropriate responsibility, authority and
criteria for one project leader to supervise each team member and project is
submitted to the project developer and communicated to all stakeholders, assessing
each phase. All sub domain PO can see table 2.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
11
Tabel 2. Maturity Level Domain Plan and Organize
No.
Maturity Level Domain Plan and Organize
Sub Domain
PO1
Define a Strategic IT Plan
2.1
PO2
Define the Information Architecture
2.2
PO3
Determine Technological Direction
3.1
PO4
Define the IT Processes, Organization, and Relationships
3.1
PO5
Manage the IT Investment
3.0
PO6
Communicate Management Aims and Direction
2.1
PO7
Manage IT Human Resources
2.2
PO8
Manage Quality
2.9
PO9
Assess and Manage IT Risks
1.9
PO10
Manage Projects
2.3
Current
5. CONCLUSION
Organizations should take into considerations the importance of IT
governance and its aspects such as: effectiveness, efficiency, functional unit of
information technology, the data integrity, safeguarding assets, reliability,
confidentiality, availability, and security in enhancing their performance. The results
of this research proved that the maturity level for the SCA Company based on Plan
and Organize domain average was at 1.9 (Initial) until 3.1 (Defined). This means that
controls are implemented but not documented, since they depend on the
knowledge and motivation of individuals. The employees may not be aware of their
responsibilities. The authors hope that these findings will be useful to others in the
IT Governance field using COBIT 4.1.
REFERENCES
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
12
[1] Preittigun, A., Chantatub, W., Vatanasakdakul, S., 2012, A Comparison between
IT Governance Research and Concepts in COBIT 5, International Journal of
Research in Management & Technology, Vol. 2, No.6, pp. 581-590.
[2] Harwikarya, Sadikin, M., Fitrianah, D., Sarinanto, M. M., Nurhaida, I., and
Dwiyanto, A. R., 2015, IS Strategic Plan for Higher Education Based on COBIT
Assessment: A Case Study, International Journal of Information and Education
Technology, Vol. 5, No. 8, pp. 629-633.
[3] Meriyem, C., Adil, S., and Hicham, M., 2015, IT Governance Ontology Building
Process: Example of developing Audit Ontology, International Journal of
Computer Techniques, Vol. 2, Issue 1, pp. 134-141.
[4] Marewick, C., and Labuschagne, L., 2011, An Investigation Into The Governance
of Information Technology Projects in South Africa, International Journal of
Project Management, Vol. 29, No. 6, pp. 661-670.
[5] Bermejo, P. H. S., Tonelli, A. O., Zambalde, A. L., Brito, M. J., and Todesco, J. L.,
2012, Implementation of information technology (IT) governance through IT
strategic planning, African Journal of Business Management, Vol.6 , pp. 1117911189.
[6] Latif, A. A., and Hanifi, N., 2013, Analyzing IT Function Using COBIT 4.1 A Case
Study of Malaysian Private University, Journal of Economics, Business and
Management, Vol. 1, No. 4, pp. 406-408.
[7] Bowen, P. L., Cheung, M. Y. D., and Rohde, F. H., 2007, Enhancing IT governance
practices: A model and case study of an organization's efforts, International
Journal of Accounting Information Systems, Vol. 8, pp. 191–221.
[8] Pasquini, A., 2013, COBIT 5 and the Process Capability Model. Improvements
Provided for IT Governance Process, Proceedings of FIKUSZ ’13 Symposium for
Young Researchers, pp. 67-76.
[9] Wraikat, M. M., 2010, Information Technology Governance Role in Enhancing
Performance: A Case Study on Jordan Public Sector, Proceedings of the World
Congress on Engineering and Computer Science, Vol 1.
[10]Zeglat, D., AlRawabdeh, W., Almadi, F., and Shrafat, F., 2012, Performance
Measurements Systems: Stages of Development Leading to Success,
Interdisciplinary Journal of Contemporary Research in Business, Vol. 4, No. 7, pp.
440-448.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
13
[11]Striteska, M., and Spickova, M., 2012, Review and Comparison of Performance
Measurement Systems, Journal of Organizational Management Studies, pp. 113.
[12]Tanuwijaya, H., and Sarno, R., 2010, Comparation of CobiT Maturity Model and
Structural Equation Model for Measuring the Alignment between University
Academic Regulations and Information Technology Goals, International Journal
of Computer Science and Network Security, Vol.10, No.6, pp. 80-92.
[13]Yousif, S. T., and Sulaiman, H., 2015, Conceptual Framework for Successful ITGovernance for E-Government Services, The 3rd National Graduate Conference,
pp. 302-307.
[14]Andry, J. F., 2016, Audit Tata Kelola TI Menggunakan Kerangka Kerja COBIT Pada
Domain DS dan ME Di Perusahaan Kreavi Informatika Solusindo, Seminar
Nasional Teknologi Informasi dan Komunikasi 2016 (SENTIKA 2016) ISSN: 20899815, Yogyakarta.
[15]Andry, J. F., 2016, Audit Sistem Informasi Sumber Daya Manusia Pada Training
Center Di Jakarta Menggunakan Framework Cobit 4.1, Jurnal Ilmiah FIFO, Vol.
VIII, No.1, pp. 28-34.
[16]Andry, J. F., 2017, Audit Sistem Informasi Absensi Pada Pt. Bank Central Asia Tbk
Menggunakan Cobit 4.1, Jurnal Teknik Informatika dan Sistem Informasi,
Volume 3, Nomor 2, Agustus, e-ISSN : 2443-2229.
[17]IT Governance Institute, 2007, COBIT 4.1 Framework, Control Objective,
Management Guidelines, Maturity Models, Rolling Meadows, IL 60008 USA: ITGI,
Available: http://www.isaca.org.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
1
Performance Measurement of IT Based on COBIT Assessment: A
Case Study
Johanes Fernandes Andry*1, Henny Hartono2
1,2
Faculty Technology and Design, Bunda Mulia University
Jl. Lodan Raya No. 2 Ancol, North Jakarta 14430
e-mail: *1jandry@bundamulia.ac.id, 2hhartono@bundamulia.ac.id
Abstrak
Perusahaan telah menerapkan Teknologi Informasi (TI). Organisasi yang berorientasi
pada bisnis menjalani berbagai jenis audit untuk tujuan yang berbeda. Audit TI berfokus
pada aspek berbasis komputer dari sistem informasi organisasi dan menggunakan sistem
tingkat teknologi modern yang signifikan. Tujuan dari penelitian ini adalah untuk
mendapatkan gambaran umum mengenai kinerja tata kelola teknologi informasi untuk
mengetahui tingkat kematangan dalam perusahaan yang saat ini berjalan, dengan beberapa
aspek yang perlu diperhatikan seperti efektivitas, efisiensi, unit fungsional informasi
teknologi dalam sebuah organisasi. Menerapkan tata kelola TI, bagaimanapun, adalah
tantangan bagi organisasi. Untuk memastikan keselarasan TI dengan tujuan bisnis
menggunakan standar COBIT. Alat analisis yang digunakan adalah prosedur standar COBIT
yang dikeluarkan oleh ISACA. Dalam tulisan ini metode yang akan digunakan adalah COBIT
4.1. Domain PO dipilih untuk memberikan pendekatan yang detil dan komprehensif kepada
manajemen yang konsisten untuk memungkinkan memenuhi persyaratan tata kelola
perusahaan. Jenis penelitian ini penting bagi perusahaan untuk mengambil manfaat dari
penerapan konsep di atas dalam rangka meningkatkan kinerja. Hasil tingkat kematangan
tata kelola IT dalam domain Plan and Organize (PO), rata-rata berada di 1,9 (Initial) sampai
3.1 (Defined).
Kata kunci: Kinerja, COBIT, Tingkat Kematangan.
Abstract
Company has implemented Information Technology (IT). Business
organizations undergo different types of audits for different purposes. An IT audit
focuses on the computer-based aspects of an organization’s information system and
modern systems employ significant levels of technology. The purpose of this research
is to get an overview of the performance of information technology governance in
order to determine the extent of maturity level in the company which is currently
running, with a few aspects to consider such as effectiveness, efficiency, functional
unit of information technology within an organization. Implementing IT governance,
however, is a challenge to organizations. To ensure IT alignment with business goals
use standard COBIT. The analytical tool used is the standard procedure COBIT issued
by ISACA. In this paper the method to be used is COBIT 4.1. The PO domain is
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
2
selected to provide a consistent and detailed approach to consistent management to
enable compliance with corporate governance requirements. This kind of research is
important for company to take benefits from implementation of the above concepts
in order to increase performance. Result maturity level of IT Governance in domain
Plan and Organize (PO), average were at 1.9 (Initial) until 3.1 (Defined).
Keywords: Performance, COBIT, Maturity Level.
INTRODUCTION
Information technology (IT) has been a backbone of business in recent years,
its investment has increased [1]. Nowadays, companies that have implemented
information system and information technology are becoming critical role player for
any organization to achieve its goals and become a winner in this globalization and
competition era [2]. Information technologies (IT) have more and more impacts on
companies’ revenue, making differences on their evolution function. Information
Systems (IS) have become serious investments in front of world’s markets agility and
exponential changing; and also have become one of the companies’ reliable assets
to achieve business goals [3].
Organizations should adhere to IT governance practices which purpose is
to ensure sustainable IT and to extend the organizations’ strategies and objectives
[4]. Information technology governance essentially defined in literature as
specification of decision-making structures, processes, and relational mechanisms
for direction and control of IT operations, and is also identified as an organizational
skill of great importance to strategic alignment, value delivery, risk management and
IT resource [5]. IT governance refers to the patterns of authority for key IT activities
in business firms, including IT infrastructure, IT use, and project management. IT
governance determines who makes the IT-related decisions and assigns
accountability for the outcomes. Effective governance aligns IT investments with
overall business priorities [6]. IT governance arrangements encompass mechanisms
that enable business and IT executives to formulate policies and procedures,
implement them in specific applications, and monitor outcomes. Thus, governance
arrangements include structural, process, and outcome metric dimensions [7].
Control Objectives for Information and Related Technology (COBIT) is a framework
created by Information Systems Audit and Control Association (ISACA) for IT
management and IT governance and is now extensively used by business. ISACA is a
recognized as the worldwide leader in IT governance, control, security and
assurance [8].
The purpose of this research is to get an overview of the performance of
information technology governance in order to determine the extent of the
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
3
capabilities of information technology governance in the PT. Sukma Scientific Abadi
(SCA) which is currently running, with a few aspects to consider such as:
effectiveness, efficiency, functional unit of information technology within an
organization, the data integrity, safeguarding assets, reliability, confidentiality,
availability, and security. The benefit of this research is to determine the maturity
level of information technology governance in the Company using COBIT 4.1.
2. RELEVANT THEORY
2.1 Performance Measurement
Before defining the performance measurement concept, it is worth
discussing its components. First, the literature defines the term “performance” as
the ability of an entity, such as a person, group or organization, to make results in
relation to specific and determined objectives [9]. In addition, performance is an
actual work or output produced by a specific unit or entity. To put it another way,
the performance concept refers to the measurable achievements produced. Second,
the term “measurement” indicates the ability and processes used to quantify and
control specific activities and events [10].
Traditionally, the focus of performance measurement (PM) has been on
financial measures only. By the late 1980s, studies had shown that historic financial
data is not enough to satisfy the PM in the new economy because of the increasing
complexity of organizations and the markets in which companies compete [11].
2.2 Control Objectives for Information and Related Technology (COBIT)
Control Objective for Information and Related Technology (COBIT) is the
information technology governance framework, which applies to management, IT
services, control department, audit functions, and more importantly the owners of
the business process to ensure the accuracy, integrity, and availability of data and
information which are important and sensitive. COBIT essentially is developed to
meet the various needs of management by bridging the information gap between
business risks, control, and technical problems. COBIT supports IT governance by
providing a framework to establish the alignment of IT with the business [12].
COBIT has been proved to provide a successful framework for IT
governance in a controlled environment. There are four major domains under which
there are 34 top level control objectives and are listed below [13]:
a) Plan and Organize (PO),
b) Acquire and Implement (AI),
c) Deliver and Support (DS),
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
4
d) Monitor and Evaluate (ME).
In more detail, the overall COBIT framework can be shown graphically, as
depicted in Figure 1.COBIT Framework, with COBIT’s process model of four domains
containing 34 generic processes, managing the IT resources to deliver information to
the business according to business and governance requirements.
Figure1. Framework COBIT 4.1 [14], [15], [16], [17]
2.3 Maturity Level
COBIT 4.1 uses a range of levels to assess the maturity, these levels are:
Tabel 1. COBIT 4.1 Maturity Level Assessment Criteria [8]
Maturity Index
Maturity Level
0 – 0,50
0 – Non-existents
0,51 – 1,50
1 – Initial/ad hoc
1,51 – 2,50
2 – Repeatable but Intuitive
2,51 – 3,50
3 – Defined Process
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
5
3,51 – 4,50
4 – Managed and Measurable
4,51 – 5,00
5 – Optimized
3. RESEARCH METHODS
PT. Sukma Scientific Abadi, located in Jakarta. One of the companies engaged
in the field of distributor & reseller of various kinds of laboratory chemicals and
supplies. The company is also doing business by selling oil products and chemicals.
Oil products are usually used for tire raw materials. While the material Chemicals
sold to pharmaceuticals or textiles that require chemicals in their production
processes.
This research uses literature study by conducting early survey by analyzing
vision and mission, goals and objectives as well as the company's strategic plan as
well as the strategies, policies related to the management of IT investments and
field observations.
The analytical tool used in this study is the standard procedure COBIT issued
by ISACA (Information systems Audit and Control Association) [8], where the data
can be obtained by various methods, namely: Questionnaire; by distributing
questionnaires to every department in the SCA Company. The respondents consist
of 5 respondents from the top management and 35 respondents as representatives
of every department in the SCA Company, so the overall total respondents obtained
are 40.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
6
Figure 2. Step by Step Performance Measurement
Reporting, after questionnaires were distributed, the collected data were
processed to be calculated based on the maturity level calculation. The result of the
audit contains the findings of the present (current maturity level) and hope in the
future (expected maturity level). The next steps were to calculate the gap analysis in
order to analyze the interpretation of the current and expected maturity level and
to provide recommendation lists of the corrective actions to overcome gap to
achieve the improvements in IT governance. The focus on this research is on PO
domains only. Reason for only domain PO are provide a detailed and comprehensive
approach to consistent management to enable fulfill the requirements of corporate
governance can be met, covering the entire management process, corporate
organizational structure, management roles and responsibilities, reliable and
accountable activities in IT governance, as well as the skills and competencies of the
resources.
4. RESULT AND ANALYSIS
Authors will analyze more to the environment that occur within the IT
department SCA Company, from employees, equipment, physical security,
regulations, etc, focused to domain PO.
Plan and Organize (PO)
In this stage the authors analyzed IT strategic planning that is required to
manage and direct all IT resources in-line with the business strategy and priorities.
The IT function and business stakeholders are responsible for ensuring that optimal
value is realized from project and service portfolios. Expected maturity level of PO is
Level 4, Managed and measurable.
4.1 PO1 Define a Strategic IT Plan
IT strategic planning is required to manage and direct all IT resources to be
in-line with the business strategy and priorities. Management of the “Define a
Strategic IT Plan” process that satisfies the business requirement for IT to sustain or
extend the business strategy and governance requirements while being transparent
about benefits, costs and risks is by devising IT strategic planning is shared with
business management on an as-needed basis. The average of the PO1 processes
were 2.1 that were in level 2 Repeatable but Intuitive.
Recommendations are undertake a discussion of development plans,
procurement of new tools, or training of information technology staff specifically on
business management findings and undertaking strategic planning of information
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
7
technology follows a structured and documented approach to all staff and develop
an overall information technology strategy and analyze possible risks.
4.2 PO2 Define the Information Architecture
This process improves the quality of management decision-making by
making sure that reliable and secure information is provided, and it enables
rationalizing information systems resources to appropriately match business
strategies. Management of the “Define the Information Architecture” process that
satisfies the business requirement for IT of being agile in responding to
requirements, to provide reliable and consistent information, and to seamlessly
integrate applications into business processes is by developing tactical requirements
that drives the development of information architecture components by individual
staff members. The average of the PO2 processes were 2.2 that were in level 2
Repeatable but Intuitive.
Recommendations are conduct formal training, arrange training schedule. Compile
one form of reporting form so that communication can be done consistently has
reporting standards and documenting all procedures and tools so that there is no
dependency on only one key expert.
4.3 PO3 Determine Technological Direction
The information services function determines the technology direction to
support the business. This requires the creation of a technological infrastructure
plan and an architecture board that sets and manages clear and realistic
expectations of what technology can offer in terms of products, services, and
delivery mechanisms. Management of the “Determine Technological Direction”
process that satisfies the business requirement for IT of having stable, cost-effective,
integrated and standard application systems, resources and capabilities that meet
current and future business requirements is to devise a defined, documented and
well-communicated technology infrastructure plan, but it is inconsistently applied.
The average of the PO3 processes was 3.1 that were in level 3 Defined Process.
Recommendations are divisions of responsibilities between departments
should be clear, documenting each task in each department and each individual and
company must establish a qualified vendor selection standard and have a good
portfolio for long-term cooperation purposes.
4.4 PO4 Define the IT Processes, Organization, and Relationships
Processes, administrative policies and procedures are in place for all
functions, with specific attention to control, quality assurance, risk management,
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
8
information security, data and systems ownership, and segregation of duties.
Management of the “Define the IT Processes, Organization and Relationships”
process that satisfies the business requirement for IT of being agile in responding to
the business strategy whilst complying with governance requirements and providing
defined and competent points of contact is to define and implement the division of
roles and responsibilities. The average of the PO4 processes was 3.1 that were in
level 3 Defined Process.
Recommendations are clearly define roles and responsibilities. Divide the
task so that it does not accumulate on one individual, establish a steering committee
and establish internal audit and vendor management. Internal auditing can be
selected from people who have been experienced in the company, assisted by
expert staff in their respective fields.
4.5 PO5 Manage the IT Investment
Stakeholders are consulted to identify and control the total costs and to
manage the IT investment that satisfies the business requirement for IT to
continuously and demonstrably improve IT’s cost-efficiency and its contribution to
business profitability with integrated and standardized services that satisfy end-user
expectations is by defining, documenting, and communicating policies and processes
for investment and budgeting, and by covering key business and technology issues.
The IT budget is aligned with the strategic IT and business plans. The average of the
PO5 processes was 3.0 that were in level 3 Defined Process.
Recommendations are establish an information technology performance
measurement framework and monitor performance by recording targets,
summarize information technology performance reviews and incorporate into the
company's monitoring system, make improvements based on performance
monitoring.
4.6 PO6 Communicate Management Aims and Direction
The communication supports achievement of IT objectives and ensures
awareness and understanding of business and IT risks, objectives, and direction. The
process ensures compliance with relevant laws and regulations. Management of the
“Communicate Management Aims and Direction” process that satisfies the business
requirement for IT of supplying accurate and timely information on current and
future IT services and associated risks and responsibilities is to make sure that the
needs and requirements of an effective information control environment are
implicitly understood by management, but practices are largely informal. The
average of the PO6 processes were 2.1 that were in level 2 Repeatable but Intuitive.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
9
Recommendations are Establish formal control of each policy and activity,
methodologies and tools for monitoring internal controls are used, and should be
planned and documented and internal control responsibilities may be submitted or
represented to other staff accompanying the expert, so that the controls are not
focused on one person.
4.7 PO7 Manage IT Human Resources
A competent workforce is acquired and maintained for the creation and
delivery of IT services to the business. This is achieved by following defined and
agreed-upon practices supporting recruiting, training, evaluating performance,
promoting and terminating. Management of the “Manage IT Human Resources”
process that satisfies the business requirement for IT of acquiring competent and
motivated people to create and deliver IT services is to deploy a tactical approach to
hire and manage IT personnel, driven by project-specific needs, rather than by
understanding balance of internal and external availability of skilled staff. Informal
training takes place for new personnel, who then receive training on an as-required
basis. The average of the PO7 processes were 2.2 that were in level 2 Repeatable
but Intuitive.
Recommendations are review and adjust the information technology policy
in accordance with standard contract procedures and all meet the legal
requirements. Investigate local and international laws, regulations and requirements
that organizations and information technology must meet and apply all applicable
laws on all information technology uses. Provide legal knowledge and regulations
and other external requirements to all staff.
4.8 PO8 Manage Quality
Quality requirements are stated and communicated in quantifiable and
achievable indicators. Continuous improvement is achieved by ongoing monitoring,
analysis, and acting upon deviations, and communicating results to stakeholders.
Management of the “Manage Quality” process that satisfies the business
requirement for IT to ensure continuous and measurable improvement of the
quality of IT services delivered is by defining basic quality expectations and shares
them among projects and within the IT organization. The average of the PO8
processes were 2.9 that were in level 2 Repeatable but Intuitive.
Recommendations are regularly evaluating information technology
investments, managing the portfolio determine which parts should be developed.
Prepare cost optimization well for example information technology spending plan
set, business goal set and planned how big information technology can support
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
10
business from result of goal will be evaluated again function of information
technology in supporting business.
4.9 PO9 Assess and Manage IT Risks
A risk management framework is created and maintained. The framework
documents a common and agreed-upon level of IT risks, mitigation strategies, and
residual risks. Management of the “Assess and Manage IT Risks” process that
satisfies the business requirement for IT of analyzing and communicating IT risks and
their potential impact on business processes and goals is by considering IT risks in an
ad hoc manner. Informal assessments of project risk take place as determined by
each project. Risk assessments are sometimes identified in a project plan but are
rarely assigned to specific managers. The average of the PO9 processes were 1.9
that were in level 1 Initial / Ad Hoc.
Recommendations are management should establish risk management
training for all staff. Training can be done by experienced IT managers to other staff.
Prioritize and plan monitoring activities at all levels to carry out risk identification,
including costs. Report any irregularities to senior management and staff are given
provisions to find out the initial characteristics of the problem so that early risk
handling can be done.
4.10 PO10 Manage Projects
This approach reduces the risk of unexpected costs and project cancellations,
improves communications and involvement of business and end users, ensures the
value and quality of project deliverables, and maximizes their contribution to ITenabled investment programmers. Management of the “Manage Projects” process
that satisfies the business requirement for IT of ensuring the delivery of project
results within agreed-upon time frames, budget, and quality is that the senior
management gains and communicates an awareness of the need for IT project
management. The average of the P10 processes were 2.3 that were in level 2
Repeatable but Intuitive.
Recommendations are establish appropriate responsibility, authority and
criteria for one project leader to supervise each team member and project is
submitted to the project developer and communicated to all stakeholders, assessing
each phase. All sub domain PO can see table 2.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
11
Tabel 2. Maturity Level Domain Plan and Organize
No.
Maturity Level Domain Plan and Organize
Sub Domain
PO1
Define a Strategic IT Plan
2.1
PO2
Define the Information Architecture
2.2
PO3
Determine Technological Direction
3.1
PO4
Define the IT Processes, Organization, and Relationships
3.1
PO5
Manage the IT Investment
3.0
PO6
Communicate Management Aims and Direction
2.1
PO7
Manage IT Human Resources
2.2
PO8
Manage Quality
2.9
PO9
Assess and Manage IT Risks
1.9
PO10
Manage Projects
2.3
Current
5. CONCLUSION
Organizations should take into considerations the importance of IT
governance and its aspects such as: effectiveness, efficiency, functional unit of
information technology, the data integrity, safeguarding assets, reliability,
confidentiality, availability, and security in enhancing their performance. The results
of this research proved that the maturity level for the SCA Company based on Plan
and Organize domain average was at 1.9 (Initial) until 3.1 (Defined). This means that
controls are implemented but not documented, since they depend on the
knowledge and motivation of individuals. The employees may not be aware of their
responsibilities. The authors hope that these findings will be useful to others in the
IT Governance field using COBIT 4.1.
REFERENCES
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
12
[1] Preittigun, A., Chantatub, W., Vatanasakdakul, S., 2012, A Comparison between
IT Governance Research and Concepts in COBIT 5, International Journal of
Research in Management & Technology, Vol. 2, No.6, pp. 581-590.
[2] Harwikarya, Sadikin, M., Fitrianah, D., Sarinanto, M. M., Nurhaida, I., and
Dwiyanto, A. R., 2015, IS Strategic Plan for Higher Education Based on COBIT
Assessment: A Case Study, International Journal of Information and Education
Technology, Vol. 5, No. 8, pp. 629-633.
[3] Meriyem, C., Adil, S., and Hicham, M., 2015, IT Governance Ontology Building
Process: Example of developing Audit Ontology, International Journal of
Computer Techniques, Vol. 2, Issue 1, pp. 134-141.
[4] Marewick, C., and Labuschagne, L., 2011, An Investigation Into The Governance
of Information Technology Projects in South Africa, International Journal of
Project Management, Vol. 29, No. 6, pp. 661-670.
[5] Bermejo, P. H. S., Tonelli, A. O., Zambalde, A. L., Brito, M. J., and Todesco, J. L.,
2012, Implementation of information technology (IT) governance through IT
strategic planning, African Journal of Business Management, Vol.6 , pp. 1117911189.
[6] Latif, A. A., and Hanifi, N., 2013, Analyzing IT Function Using COBIT 4.1 A Case
Study of Malaysian Private University, Journal of Economics, Business and
Management, Vol. 1, No. 4, pp. 406-408.
[7] Bowen, P. L., Cheung, M. Y. D., and Rohde, F. H., 2007, Enhancing IT governance
practices: A model and case study of an organization's efforts, International
Journal of Accounting Information Systems, Vol. 8, pp. 191–221.
[8] Pasquini, A., 2013, COBIT 5 and the Process Capability Model. Improvements
Provided for IT Governance Process, Proceedings of FIKUSZ ’13 Symposium for
Young Researchers, pp. 67-76.
[9] Wraikat, M. M., 2010, Information Technology Governance Role in Enhancing
Performance: A Case Study on Jordan Public Sector, Proceedings of the World
Congress on Engineering and Computer Science, Vol 1.
[10]Zeglat, D., AlRawabdeh, W., Almadi, F., and Shrafat, F., 2012, Performance
Measurements Systems: Stages of Development Leading to Success,
Interdisciplinary Journal of Contemporary Research in Business, Vol. 4, No. 7, pp.
440-448.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839
Association for Information Systems – Indonesia chapter (AISINDO)
13
[11]Striteska, M., and Spickova, M., 2012, Review and Comparison of Performance
Measurement Systems, Journal of Organizational Management Studies, pp. 113.
[12]Tanuwijaya, H., and Sarno, R., 2010, Comparation of CobiT Maturity Model and
Structural Equation Model for Measuring the Alignment between University
Academic Regulations and Information Technology Goals, International Journal
of Computer Science and Network Security, Vol.10, No.6, pp. 80-92.
[13]Yousif, S. T., and Sulaiman, H., 2015, Conceptual Framework for Successful ITGovernance for E-Government Services, The 3rd National Graduate Conference,
pp. 302-307.
[14]Andry, J. F., 2016, Audit Tata Kelola TI Menggunakan Kerangka Kerja COBIT Pada
Domain DS dan ME Di Perusahaan Kreavi Informatika Solusindo, Seminar
Nasional Teknologi Informasi dan Komunikasi 2016 (SENTIKA 2016) ISSN: 20899815, Yogyakarta.
[15]Andry, J. F., 2016, Audit Sistem Informasi Sumber Daya Manusia Pada Training
Center Di Jakarta Menggunakan Framework Cobit 4.1, Jurnal Ilmiah FIFO, Vol.
VIII, No.1, pp. 28-34.
[16]Andry, J. F., 2017, Audit Sistem Informasi Absensi Pada Pt. Bank Central Asia Tbk
Menggunakan Cobit 4.1, Jurnal Teknik Informatika dan Sistem Informasi,
Volume 3, Nomor 2, Agustus, e-ISSN : 2443-2229.
[17]IT Governance Institute, 2007, COBIT 4.1 Framework, Control Objective,
Management Guidelines, Maturity Models, Rolling Meadows, IL 60008 USA: ITGI,
Available: http://www.isaca.org.
Jurnal Sistem Informasi Indonesia (JSII) Volume 2 Nomor 1 (2017)
ISSN: 2460 – 6839