Measuring the Performance of IT Management in Financial Enterprise by Using COBIT

Автор: I Gusti Ayu Dian Sasmita Ratih, I Putu Agung Bayupati, I Made Sukarsa

Журнал: International Journal of Information Engineering and Electronic Business(IJIEEB) @ijieeb

Статья в выпуске: 1 vol.6, 2014 года.

Бесплатный доступ

In financial enterprise, electronic banking is an entirely financial enterprise integrated IT which is used for financial data transaction, human resources, and other important financial data management. It should be managed very well otherwise problem in data processing will bring harm to the enterprise. Data loss, transaction failure, and many others problems will bring a long term negative impact towards the enterprise. The presence of local state regulation issued by Bank Indonesia which requires financial institutions to audit electronic banking externally and internally is one of the reasons why this study is conducted. The methodology that used to measure the performance of IT management in a financial enterprise (e.g. Bank X) is the ones based on Framework COBIT 4.1. A mapping is done to make financial enterprise goals in line with COBIT purposes so the relevant domain will be gained to be able to do further assessment. From the questionnaire and interview done in Bank X, it was found that the maturity level average was 3-defined – IT management performance has developed until a phase where standard procedure and documentation process has taken place because of formal training for the users. But, the training was not fixed yet and as a result many shortages could not be detected maximally by the management although there was a policy created previously. The policy was not able to reach best practice level (i.e. level 5-optimized).

Еще

Maturity level, IT Models, COBIT 4.1, Financial Enterprise Audit

Короткий адрес: https://sciup.org/15013232

IDR: 15013232

Текст научной статьи Measuring the Performance of IT Management in Financial Enterprise by Using COBIT

Published Online February 2014 in MECS

enhance the work quality, started from simple work in the enterprise (e.g. interest calculation for private, deposit, or credit account) to the integrate computer usage for transaction, transfer, and credit order process. It will be very harmful if any errors happened during all of those computer processes. Some important reasons why IT audit needs to be done on Bank X, namely: (1) Prevent Losses and the Risk of leakage due to loss of data, (2) prevent the decision-making error and computer abuse, (3) Losses due to error calculation process and (4) The high value the investments hardware and computer software[2].

A financial enterprise regulation No: 9/15/PBI/2007 issued by Bank Indonesia contains the obligation of every bank to identify and manage, also control the risks that might occur in the operational activity of information technology, communication network, as well as end-user computing system to ensure the effectiveness, efficiency, and activity security of those activities[3]. The absence of information technology audit done in Bank X was the main reason why this present study brought up.

By measuring the performance of information technology management, contribution towards future performance of the financial enterprise itself will be met. Good information technology management can be used as a direction for a big organization even for government. COBIT (Control Objectives for Information and related Technology) is an audit standard of information technology which can be used to measure, in this case, the information technology performance. COBIT framework focuses on controlling and providing the best practical sequence for financial management. For instance, ensuring service providence and giving exact value on performance measurement along with its error level[4].

In this study, COBIT is also used as a tool to create effective implementation of electronic banking management within the enterprise. Measurements were conducted to determine the condition of the current performance of IT Management maturity level in Bank X. COBIT maturity model framework is used as a basis to set targets based on the influenced factors – so that the gap can be obtained from the maturity level.

The remainder of this paper is organized as follows: Section 2 describes a theoretical framework that was used to measuring the performance of IT management based on COBIT 4.1. Furthermore, Section 3 explains a methodology for measuring the performance of IT management. Section 4 presents the result, analysis, and evaluation of maturity level. Conclusion and future work are given in the final section.

  • 2.  Theoretical Framework

    • 2.1    Definition of Information Technology Audit (IT/IS Audit)

  • 2.2    Bank Indonesia Regulation

    Bank Indonesia is the only one regulator for Indonesian banks – private and regional bank – that issued the so-called Bank Indonesia Regulation No:9/15/PBI/2007 about the Applied Risks Management in the Use of Information Technology by Public Banks. It is clearly stated in Article 12 Paragraph 1 that every bank is obliged to identify and manage as well as control the risks which might exist in the operational activity of information technology, communication network, as well as end-user computing system to ensure the effectiveness, efficiency, and activity security of those activities by[3]:

The term IT/IS audit is also can be defined as an activity of gathering and evaluating evidences to decide whether or not the information technology processes happened in the enterprise (1) has been managed based on the standard; (2) has been completed by controlling the objective to observe its use; and (3) has fulfilled certain business purposes effectively. In short, audit IT/IS emphasizes on the unity between the composition of fit and proper test and substantive test. They are observed carefully so that balance can be met based on condition process of auditing[6].

  • f)   controlling  the  operational  activity of the

  • g)   controlling  the  application  which  is being

  • 2.3    Information Technology Governance

developed by other than the information technology team.

Information Technology Governance has an inclusive definition which covers Information System (IS), technology and communication, business and law as well as other issues which involves almost all stakeholders (e.g. director, executive manager, process owner, suplier, IT users even IT/IS auditor). The shaping and organizing governance itself is a responsibility of board of directors and executive manager. That guideline is an integrated part of the enterprise management that consists of its leaders along with organization structure and other process ensuring the IT Governance will hold and enlarge the strategies and enterprise targets. IT Governance has to make sure the measurement of effectiveness and efficiency of the enterprise business enhancement process is done through particular structure that is related to IT and aims at enterprise strategic path. IT Governance combines best practices of planning process, management, application, and IT performance observation to make sure that the IT really supports the enterprise in the effort of gaining enterprise goals[4].

The main focus of this IT Governance area can be divided into five parts. They can be seen in the Fig. 1 below.

Figure. 1: IT Governance Focus Area

The description of the main focus area of the IT Governance Institute Team can be seen as follows[4][6][7] :

  • a)    Strategic Alignment: how to focus a certainty towards the connection between business strategy and IT as well as make the IT operational in line with the business goals.

  • b)    Value Delivery: involves things related to the value deliverance that confirms IT will bring promised benefits by focusing on the budget optimization and proving absolute value of the presence of IT itself.

  • c)    Risk Management: covers IT application that should include risks identification so the impact could be handled.

  • d)    Resource Management: relates to the invest optimization which is done and managed correctly by critical IT resources done. It includes application, information, resource  infrastructure, and human

resources. The key  issue is related to the optimization of knowledge and infrastruture.

  • e)    Performance Measurement: observes and watches the implementation of the strategy, fulfillment of running project, resources use, process performance, and deliverance using certain framework (i.e. balanced scorecard that translates strategies into actions to achieve the exact goals compared to conventional accounting).

  • 2.4    COBIT Framework

Control Objective for Information and Related Technology or known as COBIT is a set of best practices (framework) for IT Governance (IT management). COBIT is also a series of documentation and guidelines that leads the IT Governance so it will help the auditor, management, and users to build bridge between business risk, control needs, and technical problem. COBIT is beneficial for auditors since it is a technique that can help them in identifying IT control problem. On the other sides, COBIT is also very useful for IT users because it helps them in gaining confidence on system of application significances. Furthermore, the managers will get benefits in IT invest decision along with its infrastructure, planning strategic IT plan, choosing information architecture and system procurement (purchasing/buying). COBIT supports the management in optimizing IT invests through measurements that will give dangerous signal as an error or risks coming. IT resources is an element which is extensively concerned by COBIT – including business needs fulfillment towards effectiveness, efficiency, privacy, cohesion, providence, rule and information grandeur[4][7].

COBIT Framework consists of three levels of control objective, started from the lowest level (i.e. activities) covers routine activities that possesses life cycle concept. Furthermore, several activities are then classified into IT processes. The IT processes that have the same problem is organized into a domain. COBIT Framework concept is entirely illustrated by a-three-dimensional cube. It consists of IT processes, information criterias, and IT resources.

Figure. 2: COBIT Cube Framework Concept

COBIT Framework is made of four main domains, namely [4]:

  • a)    Planning & Organization. This domain is more likely to concern on planning and organizing process of IT and enterprise strategies.

  • b)    Acquisition & Implementation. This domain connects with selection, procurement, and applied IT used in the enterprise.

  • c)    Delivery & Support. This domain is mainly about IT service processes and its technical supports.

  • d)    Monitoring & Evaluation. This domain concerns on IT security process in the organization.

  • 2.5    Maturity Model using COBIT Framework

  • 2.6    Critical Success Factors (CSF)

  • 2.7    KPI and KGI

  • 3.    Methods

IT performance measurement is aimed at making the contribution of IT in accordance with the strategies that have been maintained by the management. Performance measurement analysis of IT used is compulsory since it will depict IT ability values. Moreover, it will be used to gain information whether goals of the enterprise have been fulfilled or not. If it is connected to the enterprise targets and goals, then IT performance measurement can be used as a basis to evaluate the success or failure of the activities which are related to IT in fulfilling its goals and particular business targets. The COBIT maturity models focus on maturity, but not necessarily concern on coverage and control depth. They are not a number needed to be opposed, nor designed to be a formal basis for certification with completely separated levels that create thresholds that are difficult to cross. However, they are designed to be applicable, with levels that provide a description an enterprise can recognize to fit best in its processes. The right level is determined by the enterprise type, environment and strategy. The advantage of using COBIT maturity model is the management will be able to know the condition of the enterprise easily. Scale 0-5 is decided based on a simple maturity scale showing on how the process evolved from lack of optimized ability possessed by an enterprise. This approach is taken from the maturity model software engineering institute. Levels in this model are developed for every 34 process of COBIT[4].

Critical Success Factors (CSF) would give guidelines to the management in the effort of applying IT control and its process. Critical Success Factors are considered as vital aspects need to be done towards process which contributes to IT process in achieving its purposes. It is usually relates to the ability and skill, focused and action-oriented, as well as resources exploration [8].

Key Performance Indicators (KPI) refers to a measurement that is used to show each IT process performance. KPI is usually shown in forms of capability indicators, application, and IT resource ability. It focuses on how a process is run. KPI is a focused and measurable indicators of performance of the factors supporting IT processes which shows how well a process can support the enterprise to reach its goals. While Key Goal Indicators (KGI) concerns on “what”, Key Performance Indicators focuses on “how”. KGI and KPI are commonly used as measurement of CSF. As it is observed and evaluated, opportunities of process correction will be identified. These corrections should affect the result positively. KPI has a cause and effect relationship with the process of revealing KGI. In some cases, composite measurement is suggested to be done to observe KPI as well as KGI[8].

The illustration of method that used, can be seen as the following Fig. 3 below:

Figure. 3: Research Methodology

The methods used to get information of IT management performance in this financial enterprise were (1) understanding the regulation issued by Bank Indonesia, (2) testing using questionnaire of IT levels of control based on COBIT Framework, (3) using survey and direct interview which were then compared to the levels of maturity, (4) determining CSF, KGI, and KPI, and (5) giving suggestions for the system improvement.

Data that obtained for testing the performance of information technology management at financial enterprise are drawn from questionnaires and interviews. Questionnaire is a technique of data collection using list of questions which are used to understanding respondents towards some considered variables in the implementation of IT/IS governance in the enterprise. Those questionnaire data were collected directly from top and middle level management (Board of Directors, head of division, and chief of staff) in Bank X. It was aimed at getting the data of target achieved and assessment which has been done by the enterprise. Considering the fact that the respondents in the enterprise may come from different education background, questionnaire then was given to three different samples: (1) respondents that understand IT theoretically and practically, (2) resepondents with adequate understanding in IT, and (3) respondents that do not understand IT at all.

The study used two steps of questionnaire. The first phase was Awareness Level Questionnaires which were only delivered to Top-Level Management in the enterprise. Sixteen (16) respondents came from four (4) Board of Directors and twelve (12) Head of Division were taken part. On the other hands, Questionnaires on Maturity Level Process were given to Top-Level and Middle-Level Management in the enterprise. Forty-nine (49) respondents consists of four (4) Board of Directors, twelve (12) Heads of Division and thirty-three (33) Chiefs of Staff involved in filling this standard of COBIT 4.1 Implementation Toolset questionnaire.

The respondents were asked to tick ( ) a column they prefer to be the most representative situation in the enterprise. The result of this questionnaire then was calculated using percentage for every IT process that is considered giving high contribution towards business goals or having high necessity to be chosen in giving recommendation to maturity level questionnaire making as well as IT management fixing process. An example of Awareness level process of IT domain Plan and Organize (PO) questionnaire design can be seen in the table 1 below. Awareness level can be devided by five level, namely: (1) Very Unimportant-VUI; (2) Unimportant-UI; (3) Somewhat Important-SI; (4) Important-I; and (5) Very Important-VI[9].

TABLE 1: Awareness Level Questionnaire Excerpt

IT PROCESESS

AWARENESS LEVEL

VUI

UI

SI

I

VI

PO 01

IT development company has planned to align IT development goals with corporate goals. Long-term goals and short-term function has been planned with reference to existing IT systems .

PO 02

Information system architecture has been designed to the level of data structures and system security

PO 03

Towards the use and procurement of technology used (hardware and software) has planned to estimate the development trend of the technology aspects of the accompanying regulations .

PO 04

Implementation of IT in the company has been planning with human resources Department (HRD) were well-develop. Organizational structure and the management include the level of service provided by IT .

PO 05

Application of IT in the enterprise has been accompanied by an evaluation or assessment of financing and the accompanying benefits .

PO 08

Application of IT in the enterprise has been accompanied by a party planning needs , such as security and ergonomics compliance , privacy and intellectual property , and ecommerce

PO 10

Application of IT in the enterprise has accompanied the process of planning its implementation, such as the participation of departments in determining IT needs, defining the project, evaluation, testing and user training on IT .

Moreover, an excerpt of maturity level questionnaire design to measure the appropriateness level on zero maturity level (for TI PO1 Process) is shown in the Fig. 4 below.

Figure. 4: Maturity Level Questionnaire Excerpt

In the design of questionnaire Fig. 4 above, it can be seen; there are some components in the checklist. Here is the explanation of each component based on Fig. 4:

  • 1)    The component which is shown by number 1 is the name and process number of IT observed.

  • 2)    The component shown by number 2 is the maturity level which then will be used to distinguish each level of contribution.

  • 3)    Component 3 consists of statement description which is used as a guideline for the questions in the process of data collection.

  • 4)    Component 4 is evaluation guideline in a form of number obtained in the observation and interview process.

  • 5)    Component 5 is total weight of all questions used in the questionnaire.

  • 6)    Component 6 is calculation of value from each question. This will be used as contribution value for each level.

  • 4.    Result and Analysis

    • 4.1    Deciding the Domain Process

  • 4.2    Measurement of Maturity Level

Each question item in PO1 – with zero maturity level in Fig. 4 – is based on IT Governance Institute Team standard in COBIT 4.1 book (page 32) COBIT 4.1 [4].

The definition of Business Goal in COBIT 4.1 is suited to the purposes and goals of the enterprise. In this step, identification of business goals was done by analyzing the goals of the enterprise and relating it to the business goal in COBIT 4.1. IT processes for auditing in this enterprise that have been obtained from this comparison are:

Continuity of IT Management fixing process can be done as the enterprise evaluates its existing condition. It should be kept in mind that the “maturity level” term refers to IT process maturity in the enterprise and is represented in level of numbers. The value in this maturity level questionnaire is based on the following table 4 [6][9]:

TABLE 4: Maturity Level Questionnaire Value

Answer

Score

Disagree

0

A Little

0,33

Quite a Lot

0,66

Completely Agree

1,00

Furthermore, the result of the questionnaire statement mapping with its weight score was added and divided by the numbers of statement involved. The score gained from that calculation was then used as a guideline in determining its maturity level based on the maturity index that can be seen in the following table 5 [4][9].

TABLE 2: Information Technology Process which is relevant with the goals of the enterprise

Domain

IT Processes

Plan and Organize

PO1, PO2, PO3, PO4, PO5, PO8, PO9, PO10

Acquire and Implement

AI1, AI2, AI4, AI5, AI6

Deliver and Support

DS1, DS2, DS3, DS4, DS7, DS8, DS10, DS13

Monitor and Evaluate

ME1, ME4

Not all of the processes mentioned previously were used in the IT process since the risks management (i.e. fund and time) occurred from the process changing might give impact to the process being done. The chosen process was the process with very important Awareness level obtained by Awareness Level Questionnaire. From the Questionnaire and interview, a result obtained was regarded to the purpose of this study as well as enterprise purpose and critical level of the business process. It can be seen in the following table 3 below:

TABLE 3: IT processes that are used as the basis of Maturity Level Questionnaires

IT Process

Process Description

PO 01

Define a Strategic IT Plan

PO 02

Define the Information Architecture

AI 04

Enable Operation and Use

DS 07

Educate and Train Users

ME 01

Monitor and Evaluat the IT Performance

ME 04

Provide IT Governance

TABLE 5: Assessment Criteria

Maturity Index

Maturity Level

0,00 – 0,50

0 – non-existents

0,51 – 1,50

1 – Initial/ad hoc

1,51 – 2,50

2 – Repeatable but Intuitive

2,51 – 3,50

3 – Defined Process

3,51 – 4,50

4 – Managed and Measurable

4,51 – 5,00

5 – Optimized

The IT process maturity level was acquired through examining contribution level from each level in the particular process. Process contribution will give a description of how great the impact of appropriateness on each of those IT process maturity levels is. The contribution was then multiplied by appropriateness level from each maturity level. IT process maturity level refers to total score of mature level that will be gained by that multiplication. Fig. 5 below shows an example of maturity level calculation in PO2 level 0-5 process:

No.

Respondens

Compliance Level FO1

Maturity LevelPO 1

Average of Maturity Level

(Ncompliante = —value: —vreight)

(TK= Ncompliantes ^contribution)

(М=Ец)

0

1

2

3

4

5

0

03

0,7

1

13

1,7

1.

Board of Credit Director

0,00

0,66

0,58

0,58

0,93

0,50

0,00

020

0,40

0,58

121

0,85

324

2.

Board of Non-credit Business Director

0,00

0,66

0,75

0,75

0,86

0,66

0,00

020

0,53

0,75

1,12

ИЗ

3,72

3.

Board of Operational Director

0,00

0,83

0,75

0,75

0,80

0,66

0,00

025

0,53

0,75

103

из

3,63

4.

Board of Obedience Director

0,00

0,66

Ц58

0,66

0,80

0,66

0,00

020

0,40

0,66

103

из

3,42

5.

Head of Credit Division

0,00

0,75

0,66

0,58

0,80

0,50

0,00

022

0,46

0,58

103

0,85

3.15

Chief of Corporate Credit Staff

0,00

0,66

Ц58

0,58

0,80

0,50

0,00

020

0,40

0,58

103

0,85

3,06

Chief of Micro & Consumer Loans Staff

0,00

0,66

0,50

0,58

0,80

0,50

0,00

020

0,35

0,58

103

0,85

3,00

Chief of Credit Rescue Staff

0,00

0,66

0,58

0,66

0,66

0,50

0,00

020

0,40

0,66

0,86

0,85

2,97

Chief of Product Development & Administration of Credit Staff

0,00

0,75

0,58

0,58

0,66

0,50

0,00

022

0,40

0,58

0,36

0,85

291

6.

Head of Treasury7 Division

0,00

0,66

0,66

0,58

0,66

0,50

0,00

020

0,46

0,58

0,36

0,85

2,94

Chief of Treasury Staff

0,00

Ц58

0,50

0,66

0,66

0,50

0,00

0,17

0,35

0,66

0,36

0,85

239

Chief of Liquidation Staff

0,00

Ц58

0,58

0,58

0,66

0,50

0,00

0,17

0,40

0,58

0,86

0,85

286

Chief of State Staff

0,00

Ц58

0,58

0,58

0,66

0,50

0,00

0,17

0,40

0,58

0,86

0,85

286

Figure. 5: An Excerpt of Maturity Level PO1 Calculation by Ms. Excel.

From the example of maturity level calculation in the Fig. 5 above, IT process from level 0 to 5 is shown. Column of compliance level is the result of calculating the total score of each process (level 0 to 5) and then divided by weight value. The content of contribution column on each level will remain the same for the whole process of IT with the relevant maturity level (Ncontribution = level 0→0; level 1→0,3; level 2→0,7; level 3→1; level 4→1,3; level5→1,7)[9]. Meanwhile, score column filled with the result of multiplied from compliance level obtained from contribution of every level. Total value of maturity level was attained by adding all value of maturity on each level (0 to 5) in a particular process. Based on the calculation done, the result of maturity from all IT process used is described in table 6 below:

TABLE 6 : The result of IT Process Maturity Level

IT Process

Maturity Level

PO1

3,31

PO2

2,55

AI4

2,93

DS7

3,34

ME1

3,13

ME4

3,44

Average

3,12

IT process maturity target is an ideal condition for expected maturity level. It will be used as a guideline in the good IT management model for the enterprise. It is determined by examining internal business environment and high expectation of the management in Bank X towards COBIT IT process need to be applied. From the vision and mission, enterprise purpose, and IT purpose adoption in Bank X, some important reasons can be taken as considerations before determining the expected IT process maturity level. Considering some factors, including high expectation from management board, it can be concluded that the maturity level used as guideline in the developing IT management is in scale 5 i.e. IT management has been optimized.

  • 4.3    Gap Maturity Level Analysis

  • 4.4    Recommendation for Reducing the Gap

The Table 7 below shows the gap analysis between present maturity level and maturity level expected by the enterprise.

TABLE 7: Gap Maturity Level

IT Process

Current

Expected

Gap

PO 1

3,3

5,0

1,7

PO 2

2,6

5,0

2,4

AI 4

2,9

5,0

2,1

DS 7

3,3

5,0

1,7

ME 1

3,1

5,0

1,9

ME 4

3,4

5,0

1,6

Figure. 6: A Graphic of Current and Expected Maturity Level

Based on the spread of maturity level of the IT COBIT processes shown in Fig. 6, it can be concluded that the condition of all domain has an average score of maturity level i.e. 3-defined. It means, in general, the IT process used in the enterprise has been defined and has got a guideline standard. It also has documented procedures and it has been communicated through format training but its implementation was still dependent on the person who runs it. The procedure made was also limited to the initial form. Meanwhile, the condition expected by the enterprise was in scale 5-optimized maturity level which means that all process has been examined all the time and it has been managed optimally. IT use has been integrated to all organization environments. Furthermore, supportive tools were used to increase the quality as well as performance effectivity in the enterprise.

In overcoming the Gap Maturity Level of the IT management happened in Bank X, COBIT 4.1 High Level Control Objective can be run in the following steps[4][10][11]:

TABLE 8: Recommendation for Reducing the Gap

IT Process

Recommendation for Reducing the Gap

PO 1

  • a.    Realistic and strategic IT plan that reflects technology change regarding to business development should be developed and renewed so that the ability to create new business   and   competitiveness   of  the

enterprise can be increased.

  • b.    Particular information related to long and short term IT plan should be updated to the organization based on what the enterprise need.

PO 2

  • a.    A policy of information architecture including strategic  and  standardized requirements

should be developed. Then, it should be consistently  obeyed  by   all   level   of

management in the enterprise.

  • b.    Formal system training should be done and it is compulsory for all employees so that they will possess the abilities and skills that are needed in developing and supporting strong and responsive information architecture in the enterprise.

c. Information architecture process performance accountability should be done. The success of information architecture can be measured using matrics.

AI 4

  • a.    Framework and control should be determined to build disciplines towards IT operational standard in the enterprise.

  • b.    Documentation   and   training   materials

development should be enhanced. Enterprise business process and training program integration should be done so it will not only support the IT-oriented procedure but also the entire organization.

DS 7

  • a.    Education and training control as well as violation detection should be improved in the enterprise.

  • b.    Problem analysis of IT training and education should be applied in the enterprise.

ME 1

  • a.    IT performance process quality should be increased with clear and integrated matrics to all IT process in the enterprise.

  • b.    IT measurement which has matched function towards the purpose of the enterprise as a whole should be increased.

ME 4

  • a.    Process control should be done entirely by the management.

  • b.    Awareness of future IT management problem along with its solution in all level of enterprise management should be raised. It can   be   supported   by   training   and

communicating newest concept to the IT management.

  • c.    Understanding about responsibility should be increased. It should be then controlled through a Service Level Agreement made between service provider and user which clarifies the service quality level of the service itself.

  • d.    Efficient   identification   related   to   IT

management problem should be done. The root of the problem then should be analyzed carefully.

  • e.    Technology and human and fund resources empowerment should be enhanced to increase the competitiveness of the enterprise. In addition, IT management activity also can be integrated   well   with   the   enterprise

management process.

  • 4.5    Measurement of Interest Rate

Based on the questionnaires analysis on Awareness level which have been distributed to the top-level management board of Bank X, the result gained was relevant process Awareness level is connected to the enterprise business achievement. Grading of these process can be divided into five, namely[9][11]:

  • a)    Very Important Review values 4

  • b)    Important Review values 3

  • c)    Somewhat Important Review values 2

  • d)    Unimportant Review values 1

  • e)    Very Unimportant Review values 0

The final calculation of Awareness level was done using formula in Fig. 8. The range of final score can be seen at table below[9]:

TABLE 9: Final Score Recommendation and Level

Index of Final Score

Levels

0

Very Unimportant

1-25

Unimportant

25-50

Somewhat Important

50-75

Important

75-100

Very Important

Figure. 7: Formula used in calculating Awareness level

The result of delivering the Awareness level of IT process questionnaire that has been calculated namely PO1, PO2, AI4, DS7, ME1, and ME2. It was found that the value of those Awareness process has the average score of 92, 67 (base from table 10) which means all processes were very important (base from table 9) to be given IT Governance.

TABLE 10: Gap and Awareness Level Process

IT Process

Gap Level

Awareness Level Process in Bank X

Important

Not Important

PO 1

1,7

86,67

13,33

PO 2

2,4

96,72

3,28

AI 4

2,1

88,28

11,76

DS 7

1,7

96,36

3,64

ME 1

1,9

88,00

12,00

ME 4

1,6

100,00

0,00

average

1,9

92,67

7,33

Figure. 8: Awareness Level of the Information Technology Process

  • 4.6    Deciding CSF, KPI and KGI

Based on the Awareness level of the IT process, namely PO1, PO2, AI4, DS7, ME1, and ME2 which have been calculated in the previous part, it is found that the value of the Awareness level has the average score of 92,67. It can be inferred that the system is very important (base from table 9) thus the whole process of information technology management model should be instructed as Critical Success Factor (CSF), Key Performance Indicator (KPI), and Key Goal Indicator (KGI). The following explanation are the examples of CSF, KPI, and KGI for DS7 [8]:

TABLE 11: An example of CSF, KPI and KGI for DS7 COBIT

Process name:

Deliver and Support 7 (DS 7) – Educate and Train Users

Business Targets:

The effectiveness and efficiency of using technology application and solution as well as ensuring all users following the rule, policy, and procedure.

Information Process Purposes:

Clear understanding about the needs of information technology user trainings, effective strategy of conducting the trainings, and strategy of conducting

  • -    Enterprise policy which obliges all employees to accept the basic training program involves ethical attitude, security system of the practice, and agreement on information technology resources.

Key Goal Indicators (KGI) :

  • -    Measuring the optimization of employee number increase to maximize the business value

  • -    Measuring the employee awareness increase of ethic codes requirement, security system principal, and safe task completion

  • -    Assessing practice of security enhancement to protect the enterprise from the risk of being fail which might affect its supply, privacy, and integrity.

  • -    The numbers of help desk calls for training or answering the questions

  • -    Enhancing the users’ satisfaction by producing new technology

Key Performance Indicators (KPI) :

Analysis of maturity level that has been conducted previously shows all relevant IT processes (PO1, PO2, AI4, DS7, ME1, and ME4) have maturity level of three (3). It means that maturity level of IT Management performance in Bank X, according to Framework COBIT 4.1 is defined. In other words, commonly, the process of information technology occurred in the enterprise has been defined and has basic standards and procedures that are documented and communicated through formal trainings but its implementation is still dependent only to a person who runs it. To reach the expected maturity level, some rules, policies, recommendations, and suggestions for revision of government-based information technology has been created. Questionnaire analysis on Awareness level describes that the selected information technology process has average Awareness level of 92,67 which means that it is very important to have suggestions on IT Governance in forms of critical success factor, key goal indicator dan key performance indicator. By using those rules and indicators, it is expected that the information technology management can be directed and driven by good information so that the resources can be used in a better way and standard model of information technology process in the enterprise can be built at the end.

Список литературы Measuring the Performance of IT Management in Financial Enterprise by Using COBIT

  • WBP. Top 50 Bank in Indonesia 2013. Investor Magazine:Jakarta. 2013.
  • Weber, Ron. Information System Control and Audit. Prentice-Hall, 2000.
  • Regulation of Bank Indonesia Number: 9/15/PBI/2007. Jakarta. 2007.
  • IT Governance Institute Team. COBIT 4.1. USA: IT Governance Institute. 2007.
  • Sayana, Anantha. The IS Audit Process, India: ISACA. 2002.
  • Sarno, Riyanarto. System Audit & Information Technology. Surabaya: ITS Press.2009
  • Gondodiyoto, Sanyoto. Information System Audit +Approach of COBIT. Jakarta: Mitra Wacana Media. 2007.
  • IT Governance Insitute Team. COBIT 3rd Edition Management Guidelines. USA: IT Governance Institute. 2000.
  • IT Governance Institute Team. COBIT Implementation Tool Set. USA: COBIT Steering Committee and the IT Governance Institute. 2000.
  • IT Governance Insitute Team. COBIT 3rd Edition Audit Guidelines. USA: IT Governance Institute. 2000.
  • Sukarsa, I Made. Assesment of COBIT Maturity Level with existing conditions from auditor. IJCSIS. 2012.
  • ITGI. Board Briefing on IT Governance 3rd Edition. From www.itgi.org. 2004.
Статья научная