How to cite:
Piyan, Sfenrianto (2024) IT Evaluation Based on Cobit 5 Framework at XYZ Embassy, (06) 05,
https://doi.org/10.36418/syntax-idea.v3i6.1227
E-ISSN:
2684-883X
Published by:
Ridwan Institute
IT EVALUATION BASED ON COBIT 5 FRAMEWORK AT XYZ EMBASSY
Piyan, Sfenrianto
Bina Nusantara University, Indonesia
Email: [email protected], [email protected]
Abstract
An embassy is a government organization located abroad and is tasked with carrying out
diplomacy towards the accredited country where the embassy is domiciled. The XYZ Embassy
is located on the African continent and has an organizational structure consisting of the
Ambassador and several diplomats and local staff. As is the general condition of XYZ country
in all countries, the XYZ Embassy is also experiencing problems especially related to ICT,
such as the XYZ Embassy's IT infrastructure is inadequate, the quality of electronic goods is
not good, limited ICT resources, poor energy resources, information systems that are not yet
integrated and limited ICT procurement and maintenance budgets. The aim of this research is
to evaluate ICT governance at the XYZ Embassy using the COBIT 5 framework so that a
capability level assessment can be carried out and a Gap Analysis can be obtained and
provide recommendations for improving ICT governance at the XYZ Embassy. Some of the
benefits of conducting research include assessing the condition of needs in ICT management
at the XYZ Embassy, helping to measure the capability level of ICT management, and
recommendations in efforts to maximize and optimize the use of ICT using COBIT 5.
Keywords: ICT Governance, COBIT 5, Government, Embassies
INTRODUCTION
XYZ Embassy located on the African continent. Its organizational structure includes
Ambassadors, Political Functions, Economic Functions, Social Security Officers, Indonesian
Citizens-BHI Protection Officers, Consular Function Executors, Acceleration Administrators
and Diplomatic Information Institutions. The XYZ Embassy is a working unit under the
Ministry of Foreign Affairs. Problems regarding IT, especially the IT division faced by the
XYZ Embassy related to ICT governance, include: (1) the IT infrastructure of the XYZ
Embassy is inadequate and the quality of electronic equipment is not good due to the
difficulty of finding good device components at affordable prices (2) facilities and
infrastructure are also poorly managed due to the human resources working at the XYZ
Embassy are not many with educational backgrounds IT, currently the IT department is only
held by 1 (one) Diplomacy Information Agency / PID and 1 (one) local communication staff,
(3) energy resources in the local country are generally very poor. In a day, it is estimated that
power outages occur around 5-10 times so that it affects the age of the electronic device itself
and causes high maintenance costs, (4) the lack of integration of all information and data
JOURNAL SYNTAX IDEA
pISSN: 2723-4339 e-ISSN: 2548-1398
Vol. 6, No. 05, Mei 2024
Piyan, Sfenrianto
2096 Syntax Idea, Vol. 6, No. 05, Mei 2024
systems, the availability of data needed comprehensively for all types of data is owned by all
Function Implementers(PF) at the XYZ Embassy and (5) the budget determined by the
Central Government to the XYZ Embassy, especially the budget for the procurement of data
processing and communication equipment is considered very minimal. The relationship
between organizations and IT governance can be measured by ICT evaluation using the
COBIT 5 framework. Evaluation can also be interpreted as the process of giving value to the
impact of a program, object or a series of processes with a predetermined set and
requirements (Fajarwati, Sarmini, & Septiana, 2018). IT evaluation and audit aims to evaluate
and ensure that the IT processes that have been carried out in the organization are based on
the standard operating procedures implemented that are used to maintain and monitor those
processes (Andry, 2016; Sarno, 2009). COBIT 5 very complete, provides a basis for
effectively integrating frameworks, standards, and other practices that have been used, where
the standards reach all scopes of the company/agency (Damayanti & Manuputty, 2019). IT
governance is the responsibility of executive management or directors, and is part of
enterprise governance. Governance is a collection of interrelated and structured processes to
direct and control the organization in achieving goals (Prawira & Darmizal, 2016; Purwanto,
Sumbaryadi, & Sarmadi, 2018). IT governance focuses on two things, namely how IT efforts
provide added value to the business and risk management when they have been implemented.
COBIT 5 can be the right IT evaluation method to find out whether XYZ Embassy has carried
out good IT management and also COBIT 5 is able to help improve IT governance according
to standards and policies in carrying out business processes that are effective (Siregar &
Rustamaji, 2017). COBIT 5 is an overarching framework that can assist organizations in
achieving their goals for organizational IT governance and management. Another
understanding related to COBIT 5 is one of the frameworks in the form of best practices
guidance products that present activities in a managed and logical IT organizational structure,
compiled by experts in the field of IT governance, and more focused on performance
evaluation control (Wulandari, Dewi, Pohan, Sensuse, & Mishbah, 2019). The use of IT in
government agencies, especially in the field of cases, is not only used by employees who
work in the IT department, but is a must for employees who work in all parts such as
administration, finance, criminal, civil and others related to IT (Belegur, Rudianto, &
Sitokdana, 2018). COBIT 5 helps companies create optimal value from IT by maintaining a
balance between gaining profits and optimizing the level of risk and resource use (Hanif,
Giatman, & Hadi, 2020; Ismail & Winarno, 2017) Research using COBIT 5 was conducted to
audit IT governance in the domains EDM04, DSS01, APO07 and APO01 (Adriani,
Mahardika, & Aryani, 2018). In addition, COBIT 5 is also used for evaluation of IT
governance by measuring the level of maturity of Information Systems / IT designs in four
domains, namely APO, EDM, BAI and DSS (Putra, Hakim, Pramono, & Tolle, 2017).
Judul Artikel
Syntax Idea, Vol. 6, No. 05, Mei 2024 2097
Source: COBIT 5 Governance and Management Key Areas (ISACA 2012)
(Pasquini & Galiè, 2013)
METHODS
The research was used using qualitative and quantitative descriptive approaches. The
object of research is the XYZ Embassy located in an African country. The goal is to find out
the actual situation in accordance with the problem formulation and identify the problems in
the XYZ Embassy. The data analysis method used in this writing is using a qualitative
approach. Data collection to measure the capability model was carried out by making
questionnaires and disseminated to all respondents containing questions used to measure the
achievement of the attribute process at Level 1 based on the Process Capability Assessment
Model (PAM) at COBIT 5 (Murad et al., 2018).
RESULTS AND DISCUSSION
Researchers conduct planning by determining respondents who will be involved in the
evaluation process using sampling techniques, which are methods used to select a portion of
the larger population with the aim of collecting data or information that represents the entire
population. The criteria that will be used in this study are where each Key Management
Practice in the selected COBIT 5 process has a RACI chart that is responsible for the
activities in it.
Table 1 process has a RACI chart
RACI chart
Organizational Structure
APO01 (administer IT management
framework)
Diplomatic Information Agency
APO06 (manage budgets and costs)
Diplomatic Information Agency
APO12 (manage risk)
Head Accelerator
APO13 (manage security)
Diplomatic Information Agency
BAI04 (manage capacity and
inventory)
Accelerator
EDM02 (ensure delivery benefits)
Diplomatic Information Agency
Piyan, Sfenrianto
2098 Syntax Idea, Vol. 6, No. 05, Mei 2024
Data Collection Results in the APO Process
Table 2. Process Data Results for APO01, APO06, APO12, and APO13
Key Management
Practice
Output
APO01 (Define the
management framework
for IT)
The realization of effective policies in managing information
and the use of information technology.
The realization of adequate infrastructure.
Creating awareness of roles and responsibilities in maintaining
good electronic equipment (skilled human resources).
APO06 (Manage budget
and cost)
Transparent and fair financial management, which is related to
IT both in terms of business and IT (effectiveness and
efficiency of organizational cost allocation).
APO12 (Manage risk)
The creation of a risk management strategy for human
resources and energy resources at the XYZ Embassy.
APO13 (Manage
security)
Creation of a system security management strategy related to
data and IT at XYZ Embassy
Data Collection Results in the BAI04 Process
Table 3. BAI04 Process Data Results
Output
The creation of infrastructure that is in accordance with the needs of
the organization, especially in the field of energy resources, as well
as the quality of equipment that supports the operational
performance of the embassy.
Data Collection Results in the EDM02 Process
Table 4. EDM02 Process Data Results
Key Management
Practice
Output
EDM02 (ensure value
optimisation)
Creation of optimal IT-supported services.
The creation of support for the budget towards the procurement
of data processing and communication equipment.
Researchers obtained the results of questionnaire calculations using the Likert scale
and received an evaluation of the capability level assessment. Researchers validate
Judul Artikel
Syntax Idea, Vol. 6, No. 05, Mei 2024 2099
data from questionnaires that have been distributed to respondents according to the
RACI table.
Table 5. Process Capability Model
Maturity
Scale
Capability
level
Value
Information
0,00
0,50
Level 0
Incomplete
process
Processes that have not been implemented or
failed to implement.
0,51 1,
50
Level 1
Perfomed
process
The process that determines the achievement of
goals.
1,51
2,50
Level 2
Managed
process
A process that includes planning, monitoring,
and adjustments.
2,51
3,50
Level 3
Established
process
The process that has been built is then
implemented to achieve the results of the
process.
3,51
4,50
Level 4
Predictable
process
The process that has been built is then operated
with limitations that are able to achieve the
expectations of the process.
4,51
5,00
Level 5
Optimizing
process
Predictable processes are continuously improved
to meet business goals and company objectives.
With the capability model process, it is useful to know the level of ongoing and
future information technology risk optimization capabilities. Therefore, the results of
the questionnaire answers show the level of achievement that is currently running at
the XYZ Embassy as follows:
Figure 1. APO01 Questionnaire Recapitulation Results
Piyan, Sfenrianto
2100 Syntax Idea, Vol. 6, No. 05, Mei 2024
Figure 2. APO06 Questionnaire Recapitulation Results
Figure 3 Results of APO12 Questionnaire Recapitulation
Figure 4 Results of APO13 Questionnaire Recapitulation
Judul Artikel
Syntax Idea, Vol. 6, No. 05, Mei 2024 2101
Figure 5 BAI04 Questionnaire Recapitulation Results
Figure 6 EDM02 Questionnaire Recapitulation Results
The following is a representation diagram for capability levels APO01.1, APO01.2,
APO01.3, APO01.3, APO01.4, and APO01.5 as follows:
Figure 7 Representation Diagram of APO01 Capability Levels
Piyan, Sfenrianto
2102 Syntax Idea, Vol. 6, No. 05, Mei 2024
Meanwhile, the representation diagram for the BAI04 capability level is as follows:
Figure 8 BAI04 Capability Level Representation Diagram
And the representation diagram for the EDM02 capability level is as follows:
Figure 9 EDM02 Capability Level Representation Diagram
The researcher explains the table of findings, gaps and recommendations
needed to be able to improve existing gaps by providing recommendations. This
means that gap analysis is used to evaluate businesses within a company based on the
gap between current performance and achieved performance (S. Adi, 2015).
Determination of recommendations is carried out by providing improvement solutions
for each process that has not been maximized to 100% (Putri et al., 2017). It is known
that the value for the APO13 (Manage Security) process for the as is condition is 0.80,
which is at the highest level compared to the others. The EDM02 (ensure benefite
delivery) process value is 1.76 with capability level at level 2.
Table 6 APO Process13
Process
Findings
GAP
Recommendation
APO13
XYZ Embassy manages
information security,
runs technology and
business processes that
are secure and in line
with company
management.
There is no documentation
for the company, as well as
the absence of a special unit
within the embassy that
aims to handle information
security issues.
In the information security
Establish a special unit that has
the task of planning,
monitoring, and regulating
matters related to information
security management.
Create a written document
regarding an information
Judul Artikel
Syntax Idea, Vol. 6, No. 05, Mei 2024 2103
Process
Findings
GAP
Recommendation
assessment, the embassy did
not continue the security
audit so it is not known
whether the improvement
effort has gone well or not.
security risk management plan.
Run a security internal audit
program.
Table 7 EDM02
Proses
Findings
GAP
Recommendation
EDM02
XYZ Embassy
has IT
infrastructure
available.
There has not been a periodic
review to determine whether
the investment spent has
provided benefits in the entire
process at the embassy.
The weak side of work
program planning in seeing
the use of IT by embassies.
first review the value or benefits of
procuring IT services regularly to
find out how much IT benefits in the
overall process within the embassy.
The importance of planning work
programs, investment, financing, and
risk, to see how the benefits of using
IT as a performance support.
Collect relevant, complete and
accurate data as performance reports
to support decision making related to
information technology.
Establish SOPs (Standard Operating
Procedures) related to the process of
ensuring the delivery of value or
benefits (ensure benefit delivery).
CONCLUSION
Based on the results of the analysis described in the previous chapter related to
Evaluation of Information Technology Governance Using the COBIT 5 Framework at the
XYZ Embassy, in this case, researchers can provide the following conclusions is In the
APO13 (manage security) process, the capability is at level 1 with a value of 1.2 with 37.8%.
While the expected capability level is 1.72. In other words, to reach the expected level, it must
first meet the process capability indicators at level 1 that are still not met. Among them by
forming a special unit that has the task of planning, monitoring, and regulating matters related
to information security management. Second, create a written document regarding the
information security risk management plan. And the third runs a security internal audit
program. In the EDM02 process (Evaluate, Direct, and Monitor) the capability is currently at
level 2 (Perfomed process) with a capability value of 1.96 (large achieved). While the
expected capability level at level 3 has a capability of 2.55. In other words, to achieve the
target, it is expected to meet the process capability indicators at that level. At the expected
level, embassies need to close these gaps by making guidelines in the form of SOPs, including
reviewing the value or benefits of procuring IT services regularly to find out how much IT
Piyan, Sfenrianto
2104 Syntax Idea, Vol. 6, No. 05, Mei 2024
benefits in the overall process within the embassy. Second, the importance of planning work
programs, investment, financing, and risk, to see how the benefits of using IT as a
performance support. Collect relevant, complete and accurate data as performance reports to
support decision making related to information technology. Third, Establish SOPs (Standard
Operating Procedures) related to the process of ensuring the delivery of value or benefits
(ensure benefit delivery).
The discussion of research topics leads to the evaluation of IT governance based on the
COBIT 5 framework at the XYZ Embassy. At this stage, researchers get interview results in
the form of information about the current condition of the XYZ Embassy and what is
expected for the future.
BIBLIOGRAPHY
Adriani, Ni Luh, Mahardika, IMSS, & Aryani, Ni Wayan Sri. (2018). Audit of Certification
System Governance Using COBIT 5. Int. J. Eng. Emerg. Technol, 3(2).
Andry, Johanes Fernandes. (2016). Audit of IT Governance Based on COBIT 5 assessments:
A case study. Jurnal Nasional Teknologi Dan Sistem Informasi, 2(2), 2734.
Belegur, Juan Adithya Imanuel, Rudianto, Chris, & Sitokdana, Melkior. (2018). Evaluasi Tata
Kelola Teknologi Informasi Dinas Pariwisata dan Kebudayaan Kota Ambon
Menggunakan Framework Cobit 5.0 pada Domain Monitor, Evaluate And Asses (MEA).
Aiti, 15(2), 107114.
Damayanti, Ratna, & Manuputty, Augie David. (2019). A Analysis Of Information
Technology Governance In Department of Communication And Informatics of Salatiga
Using COBIT 5 Framework DSS Domain. Journal of Information Systems and
Informatics, 1(2), 97122.
Fajarwati, Septi, Sarmini, Sarmini, & Septiana, Yuyun. (2018). Evaluasi Tata Kelola
Teknologi Informasi Menggunakan Kerangka Kerja COBIT 5. JUITA: Jurnal
Informatika, 6(2), 7380.
Hanif, Asnita, Giatman, M., & Hadi, Ahmaddul. (2020). Evaluasi Tata Kelola Teknologi
Informasi Di Dinas Komunikasi Dan Informatika Menggunakan Framework Cobit 5. JST
(Jurnal Sains Dan Teknologi), 9(1), 94101.
Ismail, M. Panji, & Winarno, Wing Wahyu. (2017). Manajemen Sumber Daya Teknologi
Informasi Laboratorium Komputer Menggunakan Balanced Scorecard (BSC) dan
COBIT 5. JURNAL INFOTEL Informatika-Telekomunikasi-Elektronika, 9(2), 158165.
Murad, Dina Fitria, Fernando, Erick, Irsan, Muhamad, Kosala, Raymondus Raymond, Ranti,
Benny, & Supangkat, Suhono Harso. (2018). Implementation of COBIT 5 framework for
academic information system audit perspective: evaluate, direct, and monitor. 2018
International Conference on Applied Information Technology and Innovation (ICAITI),
102107. IEEE.
Pasquini, Alex, & Galiè, Emidio. (2013). COBIT 5 and the Process Capability Model.
Improvements Provided for IT Governance Process. Proceedings of FIKUSZ, 13, 6776.
Prawira, Muhammad Kukuh, & Darmizal, Teddie. (2016). Perencanaan Strategis Teknologi
Informasi Dinas Pendapatan Daerah Kabupaten Rokan Hilir Menggunakan Framework
Ward and Peppard. Jurnal CoreIT: Jurnal Hasil Penelitian Ilmu Komputer Dan
Teknologi Informasi, 2(1), 813.
Purwanto, Heru, Sumbaryadi, Achmad, & Sarmadi, Sarmadi. (2018). E-Crm Berbasis Web
Pada Sistem Informasi Penjualan Funiture. Jurnal Pilar Nusa Mandiri, 14(1), 1520.
Judul Artikel
Syntax Idea, Vol. 6, No. 05, Mei 2024 2105
Putra, I. Nengah, Hakim, Abdul, Pramono, Sholeh H., & Tolle, Herman. (2017). Adopted
COBIT-5 framework for system design of Indonesia navy IS/IT: An evaluation.
International Journal of Applied Engineering Research, 12(17), 64206427.
Sarno, Riyanarto. (2009). Audit System and Information Technology. Audit System and
Technology Information. Institute Technology of Surabaya Publisher. Surabaya,
Indonesia.
Siregar, Sahbani, & Rustamaji, Eri. (2017). Determining evaluated domain process through
problem identification using COBIT 5 framework. 2017 5th International Conference on
Cyber and IT Service Management (CITSM), 16. IEEE.
Wulandari, Sari Agustin, Dewi, Anggi Permata, Pohan, M. Rizki, Sensuse, Dana Indra, &
Mishbah, M. (2019). Risk assessment and recommendation strategy based on COBIT 5
for risk: Case study sikn Jikn helpdesk service. Procedia Computer Science, 161, 168
177.
.
Copyright holder:
Piyan, Sfenrianto (2024)
First publication right:
Syntax Idea
This article is licensed under: