DOMAIN ANALYSIS AND AUDIT OF IT GOVERNANCE BASED ON COBIT 5 AT DENPASAR INDUSTRIAL TRAINING CENTER

Information technology has become a key element of organizations and one of institutions’ added value and competitive advantages. Therefore, IT must be properly managed and measured. Denpasar Industrial Training Center (BDI) has implemented the IT Governance Education and Training Information System, SISDIKLAT. These applications have never been evaluated from an IT governance perspective. This study aimed to determine domains and assess SISDIKLAT using methods relevant to COBIT 5. To assist the organization in focusing on its main objectives and strategies, a tailored governance system based on the specificities of SISDIKLAT is required. This research assist BDI Denpasar in establishing healthy governance and IT management by utilizing the COBIT 5 framework. Both qualitative and quantitative approaches are used to select relevant governance/management objectives. Four domains and nine subdomains were chosen based on the domain analysis. According to the assessment results, the capability value of each subdomain was 2--3, with a gap value of 0.2--0.8. To reach the target level, the nine subdomains were advised.


INTRODUCTION
Information technology (IT) has become a necessity for all aspects of individuals, groups, organizations and government agencies. It can affect the achievement of a goal. Essentially, it will serve the overall goals of the organization by facilitating the collaboration and integration of resources. [1], [2]. The Industrial Work Training Center (BDI) Denpasar is a unit under the Ministry of Industry of the Republic of Indonesia which is responsible for industrial development and further education. The management of training and continuing education by BDI Denpasar uses the Continuing Education and Training Information System (SISDIKLAT). SISDIKLAT is used in almost every training process, from registration to participant certification. In addition, professional certification bodies, training managers, and BDI partners also use it.
The use of SISDIKLAT was not properly managed during the implementation, and the alignment of information technology and business processes was not evaluated. Audits of management information systems and technology controls are required for SISDIKLAT [3], [4]. We must first identify issues or problems with various techniques, such as an efficient Qapproach and the concept of part-of-speech (POS) trees [5], before conducting a system audit.
Problem identification can be accomplished through a variety of methods, such as questioning, conducting interviews, or making observations [5].
Control Objectives for Information and Related Technology (COBIT), the Information Technology Infrastructure Library (ITIL) [6], and the ISO/IEC 27000 family [7], [8] are the most commonly used for managing information systems today [9]. ITIL focuses solely on information technology and how it can be managed and profited [10]. ISO, on the other hand, addresses relevant policies, processes, requirements, and procedures. ITIL focuses only on the logical phases of the process, defining what can be done but not how [9]. Furthermore, while ISO 27001 focuses primarily on information security, COBIT covers a broader range of topics [11]. Because of its scope, COBIT can act as an integrator, mapping it to business objectives IT-related objectives (EGITs) covering specific areas [9]. The COBIT 5 framework can help auditors, users, and managers bridge the gap between business risks, control requirements, and technical information technology challenges. A complete COBIT 5 framework assists organizations in meeting their corporate governance and IT management objectives. It also allows for comprehensive IT regulation and management for all types of organizations, whether private, non-profit, or public [12]. Every organization needs a customized management system and operating context to function well. Thirty-seven auditing processes and five domains are defined by COBIT 5. Evaluate, Direct, and Monitor (EDM), Align, Plan, and Organize (APO), Build, Acquire, and Implement (BAI), Deliver, Service, and Support (DSS), and Monitor, Evaluate, and Asses (ME) are the domains included in this list [13], [14].
This paper presents a methodology for determining identification processes in SISDIKLAT, BDI Denpasar, using the COBIT 5 framework. The purpose of this study is to assess the degree of IT governance skills of currently operating training centers by considering several factors such as effectiveness, efficiency, information technology functional units within the organization, and data integrity. To get an overview of IT governance performance to make decisions, asset protection, reliability, confidentiality, availability, and security [15]. One of the strengths of this study is the determination of process capability levels for IT models in training centers using COBIT 5.

METHOD
The research method is descriptivequantitative evaluation. The analytical tool used in this study is the Information Systems Audit and Control Association (ISACA) standard procedure COBIT, and data can be obtained in a variety of ways, including observations, a survey approach, and questionnaires.
The study was conducted in several clearly defined stages to make it more structured, systematic, controlled, and directed. The following research flowchart, as shown in Figure  1, starts with a literature review, then moves on to identifying problems by mapping IT related to the implementation of COBIT 5 goals cascade, determining domain and subdomain, mapping the RACI Chart, collecting data, processing calculations, and providing recommendations [16].   Explanation of each stage on Figure 1 involved in the auditing process: 1. Literature study by collecting data related to COBIT 5 implementation from various sources, books, articles and journals. The collection and processing of data into company information is carried out by conducting interviews with open-ended questionnaires and observations, collecting document data, files, and IT-related problems at BDI. 2. Defining COBIT 5 domain processes by mapping IT related goals based on IT issues to derive processes and to evaluate. 3. Merge COBIT 5 process and IT related goal to get process with scale P (Primary) and S (Secondary) that will be chosen to be evaluated based on stakeholder needs. 4. A list of domain processes will be used to create questionnaires for auditing the sisdiklat system. 5. Data is gathered through questionnaires with interested respondents and information about the company's assets. Respondents determine by using the RACI diagram to describe the roles of stakeholders (Table 5). 6. Data processing is the next phase following data processing, which is completed after gathering the information required for the study. 7. Perform the capability level calculation process, and analyze the results. 8. GAP Analysis. Analysis of the difference between the current and expected conditions. 9. Improvement strategies and recommendations provide recommendations based on audit results.
The company's achievement goals necessitate outcomes that are highly relevant to IT goals, and IT-related goals are compiled using the dimensions of the IT balanced scorecard. COBIT 5 has finalized the definition of 17 ITrelated objectives [17], which are shown in table 1 and 2 [18].

BSC Dimension
Enterprise Goal

RESULT AND DISCUSSION
BDI Denpasar is a governance unit that has been operating since 2012 and has experience in providing information technology solutions and professional services to various companies in Indonesia, from small medium businesses to enterprises. Several issues were discovered while using SISDIKLAT, including: unreadable barcode scans that affect the checkin system for training participants in the dormitory, online attendance scans that have not been prepared by partners and integrated with the system, the certificate printing process is awaiting synchronization with the central system, and the assigning assessors by the BDI Denpasar Professional Certification Institute which is still manual because the system does not yet support it.

Domain Analysis
The results of the data collection at BDI Denpasar revealed details about the organizational structure, objectives and functions. To implement training for the use of SISDIKLAT, BDI Denpasar is also collaborating with a number of partners. The first step in determining the IT process that will be used later in the audit is the identification of business goals. This process uses COBIT 5 to align BDI's vision and mission with the company's business goals. 17 The general objectives are defined in COBIT 5 and refer to both corporate and government objectives. P stands for primary linkage and S stands for secondary linkage in the mapping table [19], [20].

a. Mapping Enterprise Goals Based on Company Goals
The process of mapping enterprise goals based on company goals is an important step in determining the COBIT 5 domain. According to the Table 1, the data to be collected is part of the Realization of Benefits and Optimization of Resources of SISDIKLAT BDI Denpasar. Business and institutional goals can be identified using dimensions of the Balanced Scorecard (BSC), more details is shown in Table 3.

b. Mapping Enterprise Goals to IT Related Goals
After Mapping Enterprise Goals Based on Company Goals, a mapping process is carried out between IT goals and institutional business. Mapping is done based COBIT 5 process reference model, to keep the process running. Mapping is performed with the goal of obtaining results that are in accordance with the process [8]. Table 4 shows the process mapping between each mapped destination.
Four domains and nine subdomains were chosen based on the domain analysis. These were EDM03, APO01, DSS01, DSS02, DSS03, DSS04, MEA01, MEA02, MEA03, and MEA04. The average process domain, as in Table 6, for EDM domain is 2.30, APO is 2.60, DSS is 2.58 and MEA is 2.46. According to PAM, EDM and MEA domain is at level 2, this means that the process has been implemented and managed with planned and monitored, while APO and DSS is at level 3, this means that the IT process has been implemented correctly in terms of planning, monitoring, work product adjustments, control, and maintenance.
These results show that some of SISDIKLAT's current abilities are at level 2-3. The process has been mostly implemented, and that the majority of the process goals have been met; still deemed to be less than optimal in delivering the information required.

IT Governance Audit a. Capability Level Calculation Results
The capability model is measured using questionnaires.
One hundred fifty-nine respondents were used to validate the questionnaires using Bivariate Pearson and Cronbach's Alpha. Questionnaires was valid with rcalculation>rtable and reliable with a Cronbach's Alpha value > 0,6. Questionnaires were distributed to six section based on the RACI diagram identification as in Table 5. The extent of IT infrastructure management is determined by measuring the level of governance of IT infrastructure. At COBIT 5, the measuring scale employs process assessment model (PAM). Maturity levels are classified into six categories ranging from 0 to 5. Each level has its own set of criteria; the assessment is based on the achievement (output) of Process Attribute (PA) [21].

b. Gap capability level
This level of inequality is calculated by comparing the current process position (as is) to future expectations (to be). BDI Denpasar conducts a gap analysis to determine which activities should be carried out so that the current level of capability meets the desired level of expectations. The gap value is calculated by subtracting the current position value from the expected position value. This level of disparity is used to determine how much improvement the process needs to achieve the desired level of maturity. Figure  3 shows a comparison of the process with the level of the subdomain gap ranging from 0.2 to 0.8. EDM domain has the highest average gap, followed by MEA, DSS, and APO at 0.7, 0.53, 0.43, and 0.4, respectively. The gap difference between the current level and the target level still appears to be moderate.

c. Plan Program and Recommendation
The average gap amongst domains studied is 0.849. When compared to the optimal value, the average domain gap is 2.489, which is half of the maximum capability value. Figure 4 depicts differences in gaps across process domains, with current, expected, and optimal values. The green line represents the current capability level gap, which is close to the expected target level. However, according to the findings of this study, the current level of capability looks quite far from the optimal level. Recommendations are made by compiling a series of activities in improving IT service processes based on the level of achievement obtained in this study. Recommendations vary by process domain. To reduce the GAP value to the desired target level, the following recommendations should be followed.
First, the addition of duties and responsibilities from the organizational structure is an initial suggestion for EDM03. Internal control requires authorization and responsibility at all levels. As long as there are clear human resource responsibilities and standards or criteria, every individual and team is empowered and encouraged to take initiative, focus on problems, and solve them [22].The second is related to the evaluation of infrastructure and resource needs. When incidents occur and there are not enough resources to cover them, activities are disrupted due to lack of human resources and backup infrastructure. The third recommendation is to optimize the process of risk oversight and risk assessment. Risk monitoring is the board's oversight process of the risk management framework, and risk assessment is an important part of risk management. Monitoring and risk assessment will help ensure that activities remain objective. The recommendation for APO01 is to evaluate the quality of the current IT strategy process. Leaders and staff must establish and implement a process to ensure that the goals of the institution are achieved consistently [17].
Consider identifying and developing mechanisms for measuring data migration, conversion, and backup aspects, as well as available performance and IT performance when changes occur in the operation of systems or IT services, and plan according to the BDI is needed. Recommended DSS01. There are three recommendations for DSS01, the first suggestion is to review related policies and SOPs for data security. Given the importance of data and information and the findings that there are data loss cases due to a broken computer, it is necessary to review the existing data security policy. The second recommendation is to create logbook to mitigate the risk of unauthorized changes, unauthorized access and unavailability of financial data. The third recommendation is to make classification scheme and priority of service requests obtained from users before being forwarded to the education and training manager so that the repair and updating process is carried out based on priority order.
Two recommendations for DSS03 are as follows: first, a troubleshooter function must be developed in order to identify problems that occur quickly and on target, and second, a permanent solution to the root cause of the problem that has been identified must be developed.
The recommendation for DSS04 is to create documentation, perform scenario analysis, and monitor potential disruptive incidents. After successfully handling postdisruption business processes and services, conduct a review by assessing the adequacy of the Education and Training System.
Based on the gap analysis and target levels to be achieved in the MEA, some recommendations for improving the quality of SISDIKLAT BDI Denpasar are given below. For MEA01, the BDI lead reviews the system that monitors each task to ensure, for example, that the assessment lead monitors and submits responses to reports on assignment results. Establish SISDIKLAT quality assurance standards based on the BDI Denpasar Strategic Plan. Follow-up with the Indonesian Certification Guarantee Agency is required for setting quality assurance standards.
The Head of BDI Denpasar must ensure that SISDILKAT quality assurance standards are developed, approved, and followed by recommendations for MEA02. Suggestions for improving MEA03 are to prepare an SOP mechanism for controlling SISDIKLAT in accordance with the recommendations for changes to MEA02 based on external changes in SISDIKLAT. Create requests to monitor IT activities in the form of daily/weekly reports or a dashboard system. Establish agreed monitoring objectives and metrics for monitoring activities, and set targets for performance and suitability of monitoring activities. After monitoring, create a document for processing the monitoring data.

CONCLUSION
Four domains and nine subdomains were chosen based on the domain analysis. The expected value of progress in the whole process is at level 3 with gaps at 0,2-0,8 performance. The average value of the analysis obtained is 2.5, indicating that BDI does not yet have a quality management system (QMS) as used in the industrial world, but they get feedback on service quality by filling out service surveys. Therefore, it is necessary to advise BDI Denpasar to implement a sustainable quality management system within the quality management framework. Recommendations are provided to improve the maturity level of IT Infrastructure Governance SISDIKLAT, specifically to support e-Government implementation in BDI Denpasar. SIDIA is easy to use (user friendly) 7 The tools in SIDIA are simple to utilize.
The tools in SIDIA are simple to utilize.
The tools in SIDIA are simple to utilize.
The tools in SIDIA are simple to utilize. BPSDMI successfully synchronized the training information data.
BPSDMI successfully synchronized the training information data.
As needed, the SIDIA feature has been prepared.
As needed, the SIDIA feature has been prepared.
As needed, the SIDIA feature has been prepared. 10 Partners responded quickly to SIDIA's constraints.
Partners responded quickly to SIDIA's constraints.
SIDIA administrators responded quickly to constraints.
SIDIA administrators responded quickly to constraints.
SIDIA administrators responded quickly to constraints. 11 Partners can properly resolve problemsolving responses.