The Application of Cobit 5.0 Framework to Measure Capability of Information and Technology Governance and Management Processes

This study examines the measurement of Information Technology governance and management capability levels using Cobit 5.0. Researchers collected data through questionnaires and interviews. Data processing from questionnaires and interviews can reveal the company's current level. In the EDM domain, the company scored very high in the process that addresses information technology risk optimization. Regular evaluation of business processes is crucial to create alignment and deal with possible risks. To move up to level two, companies must identify and understand the impact of the risks that arise. Companies should enhance their information technology services and security within the domain, perform audits, and report current and future risks. In this domain, companies must identify service capacity, predict future needs, and be ready to face sudden changes. In the DSS domain, companies need to have information system analysis experts conduct training for their staff, identify availability and service problems, and test the ability of their systems to move up to level two.


Introduction
Along with the rapid development of information technology from time to time, this technology has become the main driver in advancing almost all human activities.From daily activities to business operations, information technology has significantly contributed to speeding up, simplifying, and increasing the efficiency of various processes [1].Previously, many jobs were considered complex or inefficient for humans, but this has become easier with increasingly sophisticated information technology.Information technology not only provides benefits for individuals but also for companies and organizations as a whole.Applying information technology to business operations can help companies run more smoothly, improve service quality, and increase the efficiency of their business processes [2].With information technology, companies can manage data more efficiently, improve internal and external communications, and increase accessibility to information.Information technology also allows companies to develop more innovative products and services according to market needs.Thus, information technology has a vital role in supporting the growth and success of companies in this digital era [3].Information technology greatly helps every company and organization carry out its operations.Apart from that, using information systems is also vital in supporting various aspects of business.One of the main functions of an information system is to maintain the security of company data [4].Information systems help ensure that data, a valuable asset, remains confidential and protected from unauthorized access.Apart from data security, information systems are also essential to ensure the availability of accurate and precise information when needed.Timely and accurate information is critical to good decision-making [5].Companies and organizations also use information systems as tools to assist in decision-making.With a sound information system, companies can collect, store, and analyze data more efficiently, enabling them to make quick and correct decisions in dealing with various complex business problems and situations [6].Thus, the use of information systems is not only a necessity but also a necessity for companies and organizations to manage their businesses effectively and efficiently in this digital era [7].
Companies measuring the capability level of information systems technology can utilize the COBIT 5.0 framework.COBIT not only helps evaluate the extent to which the functions and uses of information systems follow the needs and requirements of companies and organizations from the start but also provides a solid foundation for companies to understand their position in information technology management [8].This evaluation at the capability level offers valuable information to support companies' business processes, identify areas for improvement in information systems or services, and establish reliable standards for measuring information system technology capability levels [9].By using COBIT, companies can make appropriate improvements and developments to improve the quality of their information systems following established standards [10].This will help companies effectively and efficiently use information technology to support their operations and business strategies [11].In addition, by better understanding their information technology capabilities, companies can more easily identify opportunities and risks associated with information technology and plan the necessary steps to optimize the benefits of information technology for the entire company [12].COBIT (Control Objectives for Information and Related Technologies) is a framework that contains best practice documentation for IT governance.It assists auditors, users, and management in managing business risks, identifying control needs, and addressing technical issues related to information technology [13].It provides comprehensive framework services that help a company's government and IT management achieve the expected goals [14].By following the best practices established in COBIT, companies can increase the efficiency and effectiveness of using information technology to support their operations and business strategies [15].Aside from that, this framework also helps companies understand the risks associated with information technology and how to manage them effectively.Thus, this framework becomes an invaluable tool for companies to manage and optimize the use of information technology to achieve their business goals [16].Auditing is a systematic process that aims to obtain and evaluate objective evidence regarding economic events.The purpose of the audit is to determine the level of suitability between statements and predetermined criteria, as well as to convey the evaluation results to interested parties [17].The audit process involves accumulating and evaluating economic activities to ensure they comply with predetermined standards or criteria.Competent and independent people conduct audits, so audit results are reliable and objective.An auditor must be consistent in giving his energy to work and specific in carrying out his duties.Apart from that, auditors must also be independent in carrying out their work so that they are not influenced by factors that could affect the objectivity of audit results [18].Thus, audits are significant in ensuring an organization or company's transparency, accountability, and sustainability.Frequently used information systems include people, algorithmic processes, data, and technology interactions.It reflects the use of information and communications technology in the context of a company or organization and in how people interact with technology to support their business processes [19].An information system is a tool used to present information so that it is helpful for the recipient.The aim is to provide relevant and accurate information in planning, organizing, and operating a company, thereby helping the organization in the decision-making process.The function of an information system is to improve the development and maintenance of the system so that its quality is maintained [20].Aside from that, information systems also assist in identifying risks that may arise in an organization's or company's business processes.With accurate and timely information, organizations or companies can make the right decisions if problems occur in the operation of their information systems [21].An information systems audit is a process that involves collecting and assessing evidence to assess whether an organization's computer systems can secure assets, maintain data integrity, promote effective achievement of organizational goals, and use resources efficiently.The audit aims to determine how well the information produced by the information system aligns with previously established criteria [22].When conducting an information system audit, we evaluate the system's performance by referring to various criteria.Information system audits also aim to assess if applications comply with established procedures and if the system has been well and economically designed and implemented [23].An information system audit also aims to assess whether the system has adequate asset security mechanisms and can guarantee data integrity [24].Thus, an information system audit is a critical evaluation process to determine an organization's information system's effectiveness, efficiency, and security.

Research Methods
In conducting this research, the author has taken several steps to ensure the required data is complete and can be used to measure capability levels.Data collection was carried out through questionnaires and interviews.Before starting the questionnaire, the first step is to sort the enterprise goals to determine which domain will be used in the questionnaire [25].These enterprise goals are filled in by the company's information technology team based on the company's choices and priorities and adjusted to the company's vision and mission.Interviews were conducted after the questionnaire was completed.Interviews were conducted directly with the company's information technology staff [26].The first step in the interview is direct observation of the company to understand existing business processes and ensure that the company uses information technology.After observation, the author continued with questionnaires and interviews.Questionnaires and interviews are created based on the company's choices and priorities [27].When conducting questionnaires and interviews, the author communicated directly with the company's information technology team to ensure the data obtained was accurate and followed research needs.After receiving data from questionnaires and interviews, the data is processed to determine the company's capability level.Recommendations are then given to the company based on the results of the data analysis so that the company can achieve its information technology goals.Thus, the steps taken can help the author measure and provide appropriate recommendations to the company.

Results and Discussion
Sorting based on priority is necessary for the 20 enterprise goals in COBIT 5.0.Based on the company's choices and priorities, the three resulting enterprise goals are the availability and continuity of business services, a customer-oriented service culture, and compliance with internal policies.Availability and continuity of business services aim to ensure that crucial business services remain available and run well without significant disruption, thereby supporting the company's smooth operations.A customer-oriented service culture seeks to build a culture within the organization that focuses on quality service to customers to increase customer satisfaction and strengthen relationships with them.Compliance with internal policies aims to ensure that all activities and decisions within the company comply with established internal policies and regulations to reduce the risk of violations and improve internal control.Knowing the priorities of these enterprise goals allows companies to direct their efforts to achieve their primary business goals more effectively and efficiently.Every decision and step taken in information technology management can be based on these priorities to support the company's longterm growth and success.After identifying enterprise goals, the next step is to map those goals to information technology goals.From this mapping, companies can see the relationship between the business goals they want to achieve and the support provided by information technology.The mapping results will show which information technology goals can directly support achieving enterprise goals.After that, the company can determine the priority order of information technology goals, which will be the basis for determining the next steps in developing and managing information systems.In this way, companies can ensure that investments and IT management efforts align with established business priorities.After mapping enterprise goals to IT goals, the next step is to sort the top three goals based on the company's priorities and choices, complete with the IT goals for each enterprise goal.The company will select relevant COBIT 5.0 domains from these three enterprise goals to be used in the evaluation and information technology management planning process.It is crucial to ensure that the focus of IT development and management aligns with established business priorities so that the company can achieve its business goals effectively and efficiently.After mapping enterprise goals to IT goals, the next step is to enter the COBIT 5.0 process.Nine processes will be mapped to IT goals.These nine processes are obtained from enterprise and IT goals adjusted to the company's vision and mission.The COBIT 5.0 process will help companies identify, assess, and manage risks related to information technology and ensure that IT management aligns with the company's business needs and objectives.By following the COBIT 5.0 process, it is hoped that companies can increase the effectiveness and efficiency of their IT management to significantly contribute to achieving the company's business goals.Information security, processing infrastructure, applications, and availability of reliable and valuable information for decision-making were selected for the following process, namely the implementation process.The selection of this domain is based on enterprise goals because it is considered most appropriate to the company's goals.By choosing this domain, it is hoped that companies can improve the security of their information, processing infrastructure, and applications, as well as ensure the availability of reliable information to support informed decision-making.This is a strategic step in supporting smooth operations and achieving the company's business goals.The average score in the domain illustrates that the company has not been able to identify IT risks quickly.Because the score is below 65%, the process cannot advance to level two.This result shows the importance of evaluating the company's business processes to achieve alignment.Regular evaluation is crucial because it can help minimize possible risks so the company can run its operations more safely and efficiently.This evaluation also allows companies to continue to adapt to changes in the dynamic business and technological environment.In this way, companies can ensure that their IT systems remain relevant and support the company's business goals.An average score of 70% in the domain indicates a lack of identification between IT and the company regarding the services desired and provided to the company.Because the score is < 65%, the process cannot proceed to level two.This result shows the need for companies to pay more attention to identifying their business process needs.A lack of information technology services and management review can impact a company's business processes.Therefore, companies need to carry out a more in-depth evaluation to ensure that the information technology services provided can meet business needs and support company growth.This evaluation can also help improve coordination between IT and management in achieving the company's business goals.The average score of 70% in the domain shows that in analyzing the system, the company is still lacking because it does not collect data well enough and does not consider risks that may occur in the future.Because the score is <85%, the process cannot proceed to level 2. This result shows the need for companies to improve risk management.It is essential to report any risks that occur or may arise in the future regularly because these reports are significant in the company's business processes.An average score of 70% in the domain indicates no internal audit of information security management and a lack of input regarding information security.Because the score is <85%, the process cannot proceed to level 2. The score indicates the company must conduct regular internal audits to correct errors.Providing input to the company is very important because it can influence business processes.IT is the one who knows best about information security management, so their input is precious for improving the security of the company's information system.An average score of 60% in the domain indicates that the company has quite good performance in managing hardware requirements for data storage.However, there are shortcomings in identifying performance and collecting data regarding failures in dealing with problems.Because the score is below 85%, the process cannot proceed to level 2. This score emphasizes the importance of companies identifying service capacity.Looking at the development of current business processes can help companies predict their future needs and improve their performance in facing complex information technology challenges.On the other hand, an average score of 65% in the domain indicates that companies do not consider the impact of service providers and do not prepare for emergency changes.Because the score is also below 85%, the process cannot proceed to level 2. This score indicates that companies should pay more attention to the impact of their services on business processes.Apart from that, companies must also pay more attention to sudden changes because of the possibility of problems in business processes.Thus, companies need to increase their readiness and flexibility to face changes in business and information technology environments.The average score of 60% in the domain indicates that the available information is still inadequate to manage service assets optimally.Because the score is <85%, the process cannot proceed to level 2. This score indicates the need for the company to review its configuration and services to fulfill appropriate asset and service management requirements.This is important to ensure that the company's IT assets can be managed effectively and efficiently.On the other hand, an average score of 60% in the domain indicates that the company is not alert to handling problems that occur and takes quite a long time to resolve them.Because the score is also <85%, the process cannot proceed to level 2. This score emphasizes the need for companies to have a business process analyst who can predict problems that may occur by relating them to ongoing business processes.This way, companies can avoid problems that hamper business processes and take appropriate action quickly.The average score of 60% in the domain shows that every action that will be carried out must be approved first by the management, and negotiations are held to express each other's opinions.Because the score is <85%, the process cannot proceed to level 2. This score indicates that the company needs to carry out regular information system testing to ensure that business processes can run smoothly.In addition, conducting a business impact analysis can help a company evaluate impacts that might disrupt its business processes.Thus, the company can take appropriate action to overcome the problem and maintain smooth operations.During interviews conducted directly at the company location, the main focus lies on the system being used, whether for internal or external purposes or solely for one of them.The company explains that its system is only used for internal employees.The procedure for registering prospective pilgrims is carried out manually by writing personal data, and then the company will enter this data into its system.This shows that the company has different systems for internal and external purposes, with separate processes for internal and external users.To maintain the confidentiality of company data, the company has implemented good practices to ensure that customers always trust their personal data.The company also gives high priority to IT services that suit the company's needs.However, in dealing with problems, companies often have difficulty identifying, analyzing, and reporting unpredictable issues.However, the company has committed to improving its data storage needs by making appropriate preparations and reporting when servers need to be added.However, the configuration for fulfilling information for managing service assets remains incomplete.From the process that has been carried out, from identifying enterprise goals to mapping and calculating questionnaires and interviews, it can be concluded that the company is still at level 1 in implementing COBIT 5.0.This indicates that the company has room to improve service quality and manage possible risks.Companies should continue evaluating and improving their IT processes while paying more attention to providing information and identifying unexpected problems.Thus, companies can take appropriate steps to enhance the quality of service and manage risks more effectively.

Conclusion
The company scored 80% on the process in the domain, which addresses IT risk optimization.Regular evaluation of business processes is crucial to create alignment and deal with possible risks.To move up to level 2, companies need to identify and understand the impact of the risks.There are three processes in the domain: 12, 15, and 16.APO12 discusses managing service agreements with a score of 65%.The lack of IT identification with the company and the company's service needs need to be improved.15 discusses risk management with a score of 70%, and 16 discusses security management with a score of 70%.Companies are advised to improve their IT services and security, conduct audits, and report risks that occur and that will happen in the future.In the domain, there are 7, 9, and 13. 7 discusses availability and capability management with a score of 55%, 9 discusses change management with a score of 65%, and 13 discusses configuration management with a score of 60%.Companies need to identify service capacity, predict future needs, and be ready to face sudden changes.In the domain, there are 6 and 7.It discusses problem management with a score of 60% and continuity management with a score of 60%.Companies need to have information system analysis experts and conduct training for their staff, as well as identify availability and service problems and test the ability of their systems to move up to level 2. To improve IT performance, companies can carry out regular evaluations, analyzing possible risks that will occur in the future and making changes following developments in business processes.Apart from that, companies also need to be able to handle sudden changes due to unforeseen problems.These steps aim to enable companies to achieve IT goals effectively and efficiently.Companies can also make improvements to the capability level to move up to level two.