Abstract—Information Technology (IT) governance is a Information technology audits have several standards that
collection of processes that aim to ensure the suitability of IT are used for research [3]. Examples of these standards are the
implementation with its support for achieving organizational Information Technology Infrastructure Library (ITIL) and
goals. Good IT governance can help support the organization's Control Objectives for Information and Related Technologies
success in achieving its goals. To find out the extent to which IT (COBIT). ITIL focuses on services for customers and does not
governance is implemented, IT governance needs to be audited. provide a process of aligning the company's strategy with IT
In its development, IT has been applied in various places, one of strategies. COBIT provides detailed IT Governance and
which is the University. IT implemented in the University is a control objectives framework for managers, business process
concept that answers the needs of the organization to guarantee
owners, users, and auditors because it manages information
the return of invested IT. Without IT governance, it can be a
waste of IT investment done. XYZ University is one of several
technology holistically so that the value provided by IT can be
universities that have implemented IT to support data services achieved optimally by taking into account all aspects of IT
and management. The implementation of IT at XYZ university governance [4]. COBIT continues to grow until now two
has never been audited. The purpose of this study was to versions are often used, namely COBIT 4.1 and COBIT 5. In
conduct an audit of the IT governance that was implemented. IT COBIT 5 there are new processes that were previously not in
governance audit is carried out based on the COBIT 5 COBIT 4.1. So, the processes at COBIT 5 are more holistic
framework. This research uses a descriptive method. Based on and cover aspects of corporate governance and IT
the results obtained from the analysis carried out, IT management [5]. For instance, a study in [6] was measuring
governance at XYZ university is still at the level of capability and evaluating the attendance system in a body and repairs
level 0 - Incomplete Process with the acquisition of capability services company by using COBIT 5. Moreover, in [7]-[9]
values averaging 0.5. Researchers provide advice for the also use COBIT in different types of company, such as internet
University to improve IT governance that has been implemented service provider, oil palm, higher education, respectively.
so that in the future it can achieve a higher level of capability. Therefore COBIT 5 is considered appropriate and can assist
in the information technology audit process because it covers
Keywords— IT Governance, IT Audit, COBIT 5, Capability all elements of the information technology used and one of the
Level organizations implementing IT is the university.
I. INTRODUCTION The University is an educational institution consisting of
Information technology (IT) plays an important role in several faculties that carry out scientific and professional
supporting the activities and business processes of an education in several scientific disciplines to educate the life of
organization. Some important roles of IT in an organization, the nation. The university provides academic degrees in
among others, as a means to assist an organization in realizing various fields. IT is positioned as a means of increasing
efficiency between management and operational perspectives, knowledge and at the same time providing maximum service
improving service quality to consumers, and IT can also be for all university stakeholders [10].
used as a basis for assisting decision making. To achieve this, IT in a university is a concept that answers the needs of the
good and correct management of IT is needed so that IT can organization to guarantee the return of invested IT investment.
be utilized to support the organization's success in achieving Without IT governance, the risk of IT investment and service
its goals. The success of organizational governance depends failure can result. Most IT governance in higher education is
on how far IT governance is applied [1]. still not done optimally [2].
The competitiveness of an organization depends heavily XYZ University is one of the various universities in North
on IT governance because good IT governance can help Sulawesi. XYZ University has implemented IT to help service
organizations maximize the benefits of implementing IT. IT and process data. IT management at XYZ University is still
governance is a procedure and set of processes that aim to done in two ways, namely, computerized and manual so that
ensure the suitability of IT implementation with its support for IT integration has not been optimal which has resulted in IT
achieving organizational goals, controlling the use of IT not being able to provide solutions to business changes
resources and managing risks associated with IT. IT properly. On the other hand, IT applied at XYZ university has
governance also controls all stages in the IT solution life cycle never been audited.
to maintain harmony between IT and organizational strategies
to achieve the organization's business goals. IT governance is Therefore, this research was conducted to make a report
needed because IT is no longer only seen as a supporting on the results of IT governance audits at XYZ University. This
element of business processes but has been seen as part of a research has gone through several stages starting from needs
business strategy. For this reason, an IT audit is needed to analysis, to report writing and giving
determine the extent to which IT has been implemented to recommendations/suggestions on the results of IT governance
help achieve organizational goals [2]. audits that are in line with the current business model. To
examine IT governance at XYZ University, researchers used
the COBIT 5.0 framework.
II. RESEARCH METHOD 18) MEA01: Monitor, Evaluate and Assess
Performance and Conformance
This research uses a descriptive evaluation method. This Performance and Conformance
study aims to measure the results or effects of activity by
comparing them with the intended goals [11]. The results
Descriptive research is research that aims to describe the
The process of evaluating IT governance using
current situation by using scientific procedures to answer
COBIT 5 includes 18 processes based on the results of the
actual problems.
organization's vision & mission mapping into the COBIT
B. Data Source process 5. The measurement results are based on the indicators
The researcher uses primary data and secondary data. of each process [8]. The overall assessment results of each
Primary data is data obtained by researchers directly. COBIT 5 control objective can be seen in Fig. 1. The average
Secondary data is data obtained by researchers from existing achievement of IT governance at UKLAB is 0.5, meaning that
sources. most IT processes have been carried out but have not yet
achieved the objectives of the IT process. For example, when
C. Data Collection Technique IT-related problems arise and are dealt with, there is no record
The researcher observes and runs a questionnaire to collect of these problems. As a result, the same types of problems can
the data needed in the current study. The questionnaire was occur repeatedly [14]. From Fig. 1, it can also be seen that the
developed based on the COBIT 5 framework which refers to domain that reaches the highest value is the DSS domain of
the processes related to the customer section (Balance Score 0.57 and the domain that reaches the lowest value is the MEA
Card) BSC [12]. Therefore, it does not need to be tested for domain of 0.37.
validity and reliability. The questionnaire chosen by the
researcher was based on the results of the organization's vision
& mission mapping into the COBIT process 5. This
questionnaire was distributed to deans, heads of departments
under the vice-chancellors 1 and 3, and vice-chancellor 1 and
vice-chancellor 3.
D. Process Mapping COBIT 5
In conducting mapping, researchers use a top-down
approach. The top-down approach is carried out from the
mapping of policy directions or organizational structures that
can be seen in the organization's vision and mission statements
and adapted to existing IT problems. The organization's vision
& mission statement is mapped to the enterprise goal COBIT
5 [13]. Furthermore, enterprise goals related to the company
vision and mission are mapped to IT related goals which are Fig. 1. Results of Capability Levels of each Domain
then mapped again into the COBIT 5 process. This mapping
focuses on the BSC customer section only. From the results of this study, it can be concluded that
XYZ universities need to make improvements as well as
After mapping, a number of COBIT 5 processes on the improvements to the MEA01 domain especially in the
BSC customer section were found as follows: MEA01 process: Monitor, Evaluate and Assess Performance
1) EDM01: Ensure Governance Framework Settings and Conformance.
and Maintenance A. EDM Domain Results (Evaluate, Direct, and Control)
2) EDM02: Ensure Benefits Delivery
3) EDM05: Ensure Stakeholder Transparency EDM domains relate to stakeholder governance objectives
- value delivery, risk optimization, and resource optimization
4) APO02: Manage Strategy
- and include practices and activities aimed at evaluating
5) APO08: Manage Relationship
strategic options, providing direction to IT and monitoring
6) APO09: Manage Service Agreement results. In the EDM domain, there are 3 processes examined
7) APO10: Manage Suppliers based on the results of the mapping in the previous section.
8) APO11: Manage Quality These processes are EDM01, EDM02 & EDM05. Overall, the
9) BAI02: Manage Requirements Definition achievement of the EDM domain is 0.49.
10) BAI03: Manage Solution Identification and Build
11) BAI04: Manage Availability and Capacity Based on Fig. 2. it can be seen that the EDM domain that
12) BAI06: Manage Changes achieves the highest value is the EDM05 process: Ensure
13) DSS01: Manage Operations Stakeholder Transparency of 0.62. This means that the process
has been implemented but most of the outcomes of the process
14) DSS02: Manage Service Requests and Incidents
have not been achieved. The outcome of a good EDM05 is
15) DSS03: Manage Problems
that communication to stakeholders is effective and timely and
16) DSS04: Manage Continuity the basis for reporting is set to improve performance, identify
17) DSS06: Manage Business Process Controls
areas for improvement, and ensure that IT-related goals and C. BAI Domain Results (Build, Acquire and Implement)
strategies are in line with organizational strategy [13]. This domain provides solutions and continues them to be
converted into services. To realize an IT strategy, IT solutions
need to be identified, developed or acquired and implemented
and integrated into business processes. Changes and
maintenance of existing systems are also covered by this
domain, to ensure that solutions continue to meet business
objectives [16]. In the BAI domain, there are 4 processes
examined based on the results of the mapping in the previous
section. These processes are BAI02, BAI03, BAI04, &
BAI06. Overall, the achievement of the BAI domain is 0.52.
Based on Fig. 4. the process that gets the highest score is
BAI04: Manage Availability and Capacity, the value obtained
is 0.62. This means that the process has been implemented and
part of the process outcome has been achieved. The outcome
Fig. 2. EDM domain Results
of a good BAI04 is maintaining service availability, efficient
B. APO Domain Results (Align, Plan, Organize) resource management, and optimizing system performance
through predicting future performance and capacity
This domain includes strategies and tactics and identifying requirements [13].
the best ways IT can contribute to achieving business goals.
The realization of a strategic vision needs to be planned, The achievement of the lowest value for the BAI domain
communicated and managed for a different perspective. The is BAI06: Manage Changes, which is equal to 0.44, which
right organization, as well as technological infrastructure, means that XYZ universities have implemented this process,
must be enforced [15]. In the APO domain, there are 5 however, most of the process outcomes are not achieved. The
processes examined based on the results of the mapping in the good outcome of the BAI06 process is to allow the delivery of
previous section. These processes are APO02, APO08, rapid and reliable changes to business and risk mitigation to
APO09, APO10 & APO11. Overall, the achievement of the have a negative impact on changing environmental stability or
APO domain is 0.53. integrity [13].
The process that reaches the highest score is APO11:
Manage Quality with a value of 0.7 followed by APO08:
Manage Relationship with a value of 0.59 as illustrated in Fig.
3. This shows that both processes have been implemented and
most of the outcomes of each process have been achieved. The
outcome of the APO11 and APO08 processes is the delivery
of consistent solutions and services to meet company quality
requirements and meet stakeholder needs and increase self-
confidence (IT parties), trust in IT and effective resource use
processes have the same value of 0.44. Both of these processes does not recur. Reporting (related to IT) to stakeholders has
have been implemented, but good outcomes from these two been quite good, this is evidenced by the existence of a
processes have not been achieved. The good outcome for the transparent accountability report, which was made by the IT
DSS02 is achieving increased productivity and minimizing Dept. XYZ University to stakeholders.
disruption through a quick resolution of user questions and
incidents. And for DSS04 it is to continue important business Measuring the level of IT governance capabilities at
operations and maintain the availability of information at a XYZ University is done using the COBIT 5.0 framework
level acceptable to the company in the event of a significant which includes every domain (EDM, APO, BAI, DSS, &
disruption [13]. MEA). Measurement starts from mapping the organization's
vision and mission into COBIT 5.0 processes. From the results
of the mapping, 18 selected processes were obtained. Data
collection is done by observing and distributing
questionnaires to related parties.
Overall, IT governance at XYZ University is at the
level of capability level 0 (Incomplete Process), with an
average value of 0.5. The domain that gets the highest score is
the DSS domain of 0.57 and the domain that reaches the
lowest value is the MEA domain of 0.37.
Based on the results of the research conducted,
researchers have several suggestions that can be considered by
XYZ universities to improve IT governance: 1) The domain
Fig. 5. DSS Domain Results with achieving the lowest value is expected to immediately
make improvements first and pay more attention to achieving
E. MEA domain Results (Monitor, Evaluate, Assess) the expected goals; 2) Conduct continuous evaluations to
Domain MEA monitors all processes to ensure that the improve IT governance that refers to the COBIT standard 5.
directions provided are followed. All IT processes must be
regularly assessed from time to time for their quality and
