The Improvement of IT Processes at Office X in one of the Cities in Indonesia

Published Online November 2019 in MECS DOI: 10.5815/ijieeb.2019.06.01

The advances in information and communication technology (ICT) and the widespread development of the global information infrastructure led to adequate significant changes of pattern and the way the community does activities, both at the level of organizations, institutions, industry, or government. The use of the conventional method has started to be abandoned and began to migrate using technology to help all activities undertaken. The proper use of information technology can improve the efficiency and effectiveness of performance to meet the needs of the organization. The use of information technology in educational institutions also require good governance so as to ensure transparency, efficiency, and effectiveness of any business process that runs on the institutions.

A system, no matter how sophisticated it is, cannot escape from problems that can occur thus management and supervision need to be done in order to achieve that purpose, one of which is through an information technology audit. Audit of information technology is one method of evaluation of an object, whether the object in the form of organization, system, process, or product. The audit can be performed in any organization with any business process according to the needs of the organization concerned.

The Office X is one of the institutions which regulates education from kindergarten through junior high and arranges employment issues for employees and teachers. Office X has used technology assistance in carrying out some work programs in each department, but there are still a number of work programs that are done manually such as the management of sports infrastructure in the city.

Good governance in an institution can make the process to carry out smoothly and at the will of officials, so that the goals of the institution can be achieved more easily, however, governance and information system used in these institutions are certainly not immune from errors that can occur, and therefore need to be audited in order to determine the maturity of information technology system used whether it is in accordance with the wishes of the organization or not. Control Objectives of Information and Related Technology (COBIT) is a methodology that consists of standards and controls designed to assist organizations in implementation, review, administration, information technology, and environmental monitoring. COBIT is one of the guides that has been widely used by large companies to become a reference to the best practice in conducting the assessment of the existing system in an organization or company. Based on this, in order to know the level of system capability used at Office X, there should be an audit on the system so that the system can be used better and more effectively, and can improve employee performance.

• II.    Theorical Framework

A literature study is a summary of the theories that are used as a support when conducting research. The followings are several theories that are used to conduct the research on the Information Technology Audit of the Office X.

• A.    Information Technology Audit

Audit can be defined as a set of systematic process which is conducted by respecting the objectivity of competent and independent parties in the acquisition and assessment of the evidence against demands associated with economical things or events. The purpose of audit is to provide an overview of certain conditions that took place in companies and reporting on the fulfillment of a set of defined standards.

Audit process is one way to see the original condition of the company, whether the process that runs within the company has been carried out in accordance with the standards and meets the company’s expectations. The results of the audit process can be used by the company to fix the holes in the running process so that they can take appropriate action to correct these errors.

The book of “System Audit and Information Technology” by Riyanarto also explains the audit process performed in the information system or information technology, namely Information System (IS)/TI Audit is the process of collecting and evaluating evidence to determine whether the information system can protect assets, the existing information technology has kept the integrity of the data so that they can be effectively directed to the achievement of the business goals by using the resources efficiently. The appropriate use of information technology within a company will help minimize the time required to perform a business process and reduce the use of human labor needed[1].

• B.    Information Technology Governance

IT governance has an important role to help improve the performance of a company. IT governance can integrate a good practice to ensure that the use of technology in an enterprise support the goal of the company’s efforts. The use of technology can help the company to maximize output within the organization with good management of the technology itself. IT governance allows organizations to take full advantage of its information, thereby maximizing profits, taking advantage of opportunities and gaining competitive advantage. With the existence of good governance, the existing IT is expected to be able to meet the organizational goals. If information technology is managed according to the best practice of governance standards, then the existing information and technology would ensure to support business process, available resources and be used with responsibility and risk with proper control. It will support the goals of information technology governance to ensure that the IT performance is in accordance with the wishes.

It is important to realize that IT services are complex, strategic, as well as company’s assets. Therefore, the company must invest appropriate levels of organizational resource into critical IT support and services. All organizations that use IT definitely rely on IT for success. If the processes and services of IT are implemented, regulated, and supported by the appropriate level, the company’s business will run more successfully, minimize revenue losses, renew business relationships, and achieve the company’s goals.

• C.    Balance Scorecard

Balanced Scorecard is a performance measurement framework that can balance two aspects, namely quantitative (financial) and qualitative (non-financial). Performance measurement within a company can support transparency so that all officials and employees can participate in improving the quality of performance. In general, the determination of the performance can be made by considering four aspects, namely financial aspect, customer aspect, business/internal aspect, and learning and growth aspect.

The first perspective, the financial perspective can provide a picture of how the performance strategy that was conducted can increase the company’s basic needs, which is income. In the financial perspective, there are three stages that the company will go through to become a mature company, and those are growth, sustain stage, and harvest. The stage of growth is a stage where the company has a goal to increase the sales growth, in which to achieve these goals then the investment made will spend more money than the company’s revenue. The stage of sustain stage is a stage in which the company will pursue the goal of maintaining the market that it currently has, normally the investment and revenue are balanced at this stage so that the company can be more relaxed because the capital that was used has been turned into a profit. The final stage is harvest in which the company only needs to reap the benefits of the investments made previously, this stage is the highest stage of growth of the financial aspects of a company.

The second perspective is the perspective of the customer which provides a description of how the company can define its target market. This perspective helps the company to be able to know how the company can satisfy customers from various aspects such as time, performance, service, and cost. The fulfillment of these aspects has goals of increasing the confidence of customers, improving services, and the quality of the relationship between customer and company.

The third perspective is the perspective of business/internal which is a description of how the management that runs in the company can help improve the financial and customer service, even innovations that are made to satisfy shareholders. There are three phases in performing the basic process in a business perspective/internal, namely: innovation process, operation process, and post-sale service process.

The last perspective is the perspective of learning and growth that provides an overview of infrastructure in terms of both human resources and supporting equipment that must be owned by the company for long-term improvement. The learning and growth include a maximum performance from employees, supported information system, and how the company can motivate their employees to be able to innovate on a regular basis [2].

• D.    COBIT

  Control Objectives of Information and Related Technology (COBIT) is a methodology that consists of standards and controls designed to assist organizations in implementation, review, administration, information technology, and environmental monitoring. COBIT can be regarded as a set of tools for IT management created by the Information System Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992, with the mission to develop, conduct research, and publish an information technology standards which is commonly accepted and always up to date to be used in daily business activities.

The first edition of COBIT was launched by ISACF foundation in 1996. The second edition of COBIT reflected an increase in the number of source documents, revisions at a high level and detailed control objectives and an additional set of tool implementation, which was published in 1998. COBIT on the third edition was marked by the entry of new major publisher of COBIT which was the IT Governance Institute (ITGI). ITGI was established by ISACA and the related foundations in 1998 and provided a better understanding and adopting the principles of IT settings. Through the addition of management guidelines, the third edition of COBIT was issued in 2000. In this edition, there are additions that include guidelines for management to implement COBIT and for its focus to be expanded and enhanced on IT governance. The fifth edition of COBIT is the latest version of the control objectives for information and related technology. This research uses COBIT 5, which is the latest edition because there are several additions to the IT process which can cover a wider scope.

COBIT contains a set of documentation of best practices for IT governance which can help auditors, users, and management, to bridge the gap between business risks, control needs and technical issues of IT. COBIT is helpful for auditors because it is a technique that can assist in the identification of IT controls issues. COBIT is useful for IT users because they gain confidence in the reliability of the application system used. Meanwhile, managers benefit from investment decisions in the IT sector and its infrastructure, develop IT Plan, determine information architecture, and decisions on procurement (purchase) of assets. The main purpose of COBIT is to provide clear policy and good practice for IT governance for organizations around the world to help senior management to understand and manage the risks associated with IT. COBIT does so by providing a framework for IT governance and detailed objective control instructions for management, business process owners, users, and auditors.[3]

COBIT 5 has 5 domain, namely Evaluate, Direct and Monitor (EDM) which contains 5 practice and 15 Activity, Align, Plan and Organise (APO) which contains 13 Practice and 72 Activity, Build, Aquire and Implement (BAI) which contains 10 Practice dan 68 Activity, Deliver, Service and Support (DSS) which contains 6 Practice and 38 Activity, Monitor, Evaluate and Assess (MEA) which contains 3 Practice and 17 Activity

• E.    ITIL Versi 3

The framework of ITIL version 3 is used as a guide in preparing operational steps so that the continuity of IT services can properly function. ITIL framework has a focus on the development of IT governance, especially in terms of services (IT service) and is ideal to be used as a guide in developing governance because of its best practices and possession of detailed library to develop steps in the procedure. IT governance considers two things namely the added value of IT for business and IT risk mitigation. The value of IT is driven by the strategic alignment of IT and business, while the risk mitigation is driven by a responsibility to the organization. Both require the support of sufficient resources and can be measured to ensure that the desired results are met.

• III.    Related Works

COBIT Framework in the audit process can be used to determine the maturity level or capability level of a company so that the company can fix its flaws and improve performance which is evaluated in the audit process. COBIT has a wide scope in terms of the evaluated aspects so that it can be used for most of the problems that occur in the company. COBIT is not only limited to companies engaged in business, but also governments, educational institutions, and others. Not only can it measure the capability level, but COBIT can also be used to provide recommendations to the company regarding the business process that still have weaknesses. The given recommendations are expected to improve the performance of the relevant process and raise the level of capability of the process[4,5,6,7]

The other framework which is also often used as a guide in the audit process is COSO. COSO is used to assess the performance of the business process in terms of internal controls such as how a company can manage the company environment, risk management, control of employee performance, maintain permanent harmony of communication between employees and employers, as well as keep an eye on how work is executed at the company. COSO may help to assess the business process that runs in the company to ensure the effectiveness of the process and can help to analyze problems that occur, whether it was caused by external or internal factors[8,9,10]

ITIL is a best practice that can be used in the evaluation of performance relating to the use of information technology in a company. ITIL provides a set of concepts for infrastructure management, development, and the operation of information technology (IT) as well as the improved service to customers. The maturity level of that in the evaluation process was determined and can be used as a guide for suggestions of improvements to increase the maturity of the process[11,12,13,14]

Balanced Scorecard is typically used as a method to represent the company’s business goals so as to facilitate the audit process, but it’s also not unusual for BSC to be used as the main framework for measuring performance in a company or government institutions. There are journals that also use BSC as a guide to create a questionnaire regarding the accreditation measurement in a hospital [15,16,17]

• IV.    Method

Fig.1. Research Stage of Audit Process at Office X

Figure 1 is the research stage of the Information Technology Audit at Office X. The research stage started from the process of literature review that collects documents and literature needed that are needed to reinforce the theoretical basis of the research. The second stage is the process of identifying business goals, followed by the identification of IT goals, and the identification of IT processes. The identification process of the company's business goals for audit with the framework of COBIT in its standard method using vision and mission. The vision and mission of the company are generally common so that it can use a work plan which was derived from the company’s vision and mission that was also paired with SOPs used by the company. These three processes of identifying is gradually conducted by mapping the business process with the available aspects in COBIT 5. The importance level questionnaire was made after it has finished identifying the IT Processes that will be evaluated. Results of the importance level questionnaire that are obtained are then processed to acquire the results of the process which are considered vital and need fast action. The process of these selection results was then reprocessed into a capability level questionnaire that will measure the level of ability of the company to run the process. The level results that had been obtained will be given suggestions for improvements and recommendations to improve the process performance.

• V.    Result and Analysis

• A.    The Selection of IT Processes

The selection of IT processes is the first process undertaken to conduct an audit. This processes are in the form of mapping which were conducted systematically starting from business process mapping to Business Goals, then Business Goals were mapped with IT Goals, and then further mapping of IT Goals with IT Processes will be conducted. The standard method in COBIT was mapping through the vision and mission that exist in the company.

Vision and mission of these institutions are generally broad and explained in general, one of the options that can be used to narrow the scope of the audit is to use a derivative of the vision and mission, one of which is work plan either for short-term, medium-term or long term. The work plan can also be paired with SOP owned by establishments to fit the processes carried out in the field (implementation). The research at the Office X used work indicators obtained from the RPMJ Year 2016-2021.

Table 1. Work Indicators

No	Work Indicator
1	Position of Winner of Sports and Arts Week at the Regional (Provincial) Level
2	The Availability of Sports Facilities and Infrastructure
3	The increase of the number of ASNs participating in BIMTEK
4	The fulfillment of Office Administration Service Needs
5	Fulfillment of employee infrastructure facilities at the Office X
6	The Rough Number of Participants & School Participation Rates for Every Education level
7	The Percentage of Certified Educator Staff
8	Percentage of Trained Workforce in Non-formal Education
9	The Number of Schools that Obtain the Improvement of Cyber School Facilities and Infrastructure
10	The Percentage of The Availability of Smart House Facilities and Infrastructure
11	The Percentage of C Package Graduates Equivalent to High School
12	The Percentage of the Implementation of Development and Preservation of Regional Arts and Culture

Table 1 is a list of work indicators used as a focus issue to be mapped to Business Goals so as to define IT processes according to the company’s problems.

Table 2. Mapping from Work Indicator to Business Goals

Work Indicator	Business Goals
	No	Keterangan
Position of Winner of Sports and Arts Week at the Regional (Provincial) Level	16	Skilled    and   motivated employees
The  Availability  of  Sports Facilities and Infrastructure	11	Optimization of business process functions
The increase of the number of ASNs participating in BIMTEK	16	Skilled    and   motivated employees
The   fulfillment   of   Office Administration Service Needs	11	Optimization of business process functions
Fulfillment of employee infrastructure facilities at the Office X	11	Optimization of business process functions
The Rough Number of Participants & School Participation Rates for Every Education level	11	Optimization of business process functions
The Percentage of Certified Educator Staff	9.	Decision making strategies based on existing information
Percentage of Trained Workforce in Non-formal Education	16	Skilled    and   motivated employees
The Number of Schools that Obtain the Improvement of Cyber School Facilities and Infrastructure	12	Business process cost optimization
The Percentage of The Availability of Smart House Facilities and Infrastructure	12	Business process cost optimization
The Percentage of C Package Graduates Equivalent to High School	9.	Decision making strategies based on existing information
The Percentage of the Implementation of Development and Preservation of Regional Arts and Culture	16	Skilled    and   motivated employees

Table 2. is the mapping result of the work indicators with Business Goals of COBIT. There are 12 program work indicators, each of which is paired with the Business Goals of COBIT. Perspectives relating to these work indicators are the customer perspective, the internal business process perspective and the learning and growth perspective. The selection of Business Goals from program performance indicators considers several components, that is business risk management, optimisation of business process functionally, operational and staff productivity.

Table 3. Selected business goals

No	Selected business goals
9	Decision making strategies based on existing information
11	Optimization of business process functions
12	Business process cost optimization
16	Skilled and motivated employees

Table 3 is the mapping result of the program work indicators with the Business Goals of COBIT. There are 12 work program indicators, each paired with the Business Goals of COBIT. The next stage in the determination of IT processes is a mapping from the result of Business Goals in the previous process with IT Goals. The mapping of Business Goals with IT Goals is conducted to translate from the business needs of the IT availability of the company.

Table 4. Selected IT Goals

No	IT Goals
1	Aligning IT with business strategies
5	Recognizing the benefits of empowering investments in IT and portfolio services
7	Delivery of IT services to suit business needs
8	Use of applications, information, and adequate technological solutions
11	Asset optimization, resources and IT capabilities
12	Empowerment and support of business processes by integrating applications and technology into the business process
14	Availability of reliable and useful information for decision making
16	IT personnel who are competent and motivated towards existing businesses

Table 4 is a list table of the set IT Goals after being paired with Business Goals. The number of IT Goals that had been set is 7 goals that are IT Goal Number 1, 5, 7, 8, 11, 12, 14, and 16. This goal of IT is what will be used to be paired in the next process so that it can find the IT Processes that are in accordance with the needs of the company. The third mapping was conducted between the IT Goals of the second mapping results with IT processes.

Table 5. IT Process Mapping Result

Domain	IT Process
EDM	EDM01, EDM02, EDM04, EDM05
APO	APO02, APO03, APO04, APO05, APO07, APO09, APO11
BAI	BAI02, BAI03, BAI04, BAI06, BAI07
DSS	DSS01, DSS03, DSS04, DSS06
MAI	-

There are 20 processes that remain and in accordance with the needs of companies based on the work indicators from a total of 34 IT Processes owned by COBIT. There are four processes of EDM domain, namely EDM01(Ensure governance framework setting and maintenance), EDM02 (Ensure benefits delivery), EDM04 (Ensure resource optimisation), and EDM05 (Ensure stakeholder transparency). There are 7 processes chosen of APO domain, namely APO02 (Manage Strategy), APO03 (Manage Enterprise Architecture), APO04 (Manage innovation), APO05 (Manage portofolio), APO07 (Manage human resources), APO09 (Manage service agreements), APO11 (Manage quality). There are 5 processes selected of BAI domain, namely BAI02 (Manage requirements definition), BAI03 (Manage solutions identifications and build), BAI04 (Manage availability and capacity), BAI06 (Manage changes), BAI07 (Manage Change Acceptance and Transitioning). There are 4 processes of DSS domain, namely DSS01 (Manage operations), DSS02 (Manage service requests and incidents), DSS04 (Manage service requests and incidents), and DSS06 (Manage business process control).

• B.    The Determination of Level of Importance

The level of importance questionnaire was based on the work indicators that had been determined. The statements on the level of importance questionnaire are the sum of IT processes and are modified again in order to be easily understood by the respondent. Internal importance questionnaire was made differently than the external importance questionnaire because both of these questionnaires have different goals. Internal importance questionnaire is divided into three parts in order to specialize the questions given to each field. The number of respondents of the external questionnaire is 17 and the number of respondents of the external questionnaire has a number which varies according to the RACI chart that was created earlier, and thus the calculation of the total score of the questionnaire was done by finding the average score of each question point in order to be balanced. The score of each statement was further sorted from the highest to the lowest so the five highest scores are obtained. The five highest scores can be regarded as the most important issues considered by the institution.

Fig.2. RACI Chart

Explanation:

R : Responsible (the party who does the activities)

A : Accountable (the party who is ultimately responsible and has the authority to decide a case)

C : Consult (the party whose feedback or advice is needed and contributes to the activity)

I : Inform (parties who need to know the results of decisions or actions)

RACI chart is a chart that can help to straighten the authority of each position in a particular process. Determination of parties who are respondents to the level of importance questionnaire can be done by creating the RACI Chart containing the running processes and the role of each party involved in it. RACI Chart is used to clarify the responsibilities of each position for each process in the audit.

Table 6. Selected COBIT 5 Domain

Domain	IT Process
APO07	Manage human resources
BAI02	Manage requirements definition
BAI04	Manage availability and capacity
EDM04	Ensure resource optimisation

Table 6 is the final result that is selected based on the assessment of the level of importance questionnaire. The five highest ranks on the results of the level of importance questionnaire refer to four IT processes, namely APO07, BAI02, BAI04, and EDM04 which were obtained from the mapping that has been done before.

• C.    The Determination of the Level of Capability

The results of the level of capability questionnaire were determined by the analysis of the questionnaire that had been rated by respondents who have the authorities. The questionnaire was filled out by six respondents who have the authority toward the process of Non-formal Teacher Certification, Sports Facilities and Infrastructure Management, Percentage Increase of General Champion of PORJAR, and Cyber School Facilities and Infrastructure Management that run in the Office X. The results obtained from each field were analyzed by finding the average of the points that were given by the respondents on the statement contained in the questionnaire. The results obtained for this whole process is at level 1 because the average value of this level 1 has not met the standards to go up to level 2 yet.

• D.    The Target Determination of the Level of Capability of IT Processes

The capability level target of IT processes is an achievement expected by the company from the IT processes that run on the company. The determination of this capability level target was obtained by interviewing the leaders of each IT process that was being evaluated. The capability level target of IT processes can be seen in Table 7.

Table 7. Gap

Proses TI	Current Capability (CC)	Expected Capability (EC)	Gaps (EC-CC)
APO07	1	5	4
BAI02	1	5	4
BAI04	1	5	4
EDM04	1	5	4

The table above describes the Current Capability (CC) whose current capability level is the analysis result of the capability level questionnaire that had been distributed, Expected Capability (EC) which is the capability level target expected by the company, and Gap (EC-CC) is the level gap which is the difference between the current capability and the expected capability so as to produce a range of levels that need to be met to achieve the level of expectations of the company.

• E.    Best Practice

Suggestions for improvement are given to the Office X to improve the performance of the company on the parts that had been evaluated in accordance with the selected IT processes, namely APO07 (Manage human resources), BAI02 (Manage requirements definition), BAI04 (Manage availability and capacity), and EDM04 (Ensure resource optimization). There are two types of suggestions for improvement, which are the improvement of the process previously owned by Office X and the recommendations on the new additions that can be used by Office X as consideration for the improvement of future performance. Suggestions for improvement are based on the guidelines of COBIT 5, ITIL v3, and COSO.

• 1.    Suggestions for Improvement of APO07

• 2.    Suggestions for Improvement of BAI02

• 3.    Suggestions for Improvement BAI04

• 4.    Suggestions for Improvement of EDM04

APO07 is a process which discusses how non-formal teachers who teach have ability according to the standard and competence and the technology provided can help achieve the fulfillment of non-formal teacher standards that improve the efficiency of the process. The improvement that can be done to improve performance is to make socialization, not only for the principal but also directly to teachers and prospective teachers who have received certification; Retrieving data directly from the system to avoid recurring file collection that makes the process of spending too much time; Overcoming errors in uploading data from the agency related to human error using data collected by the teacher; Suggestions that can be given for this process is that companies are advised to make training for non-formal teachers that can be done through online classes; making regular evaluation program to ensure the quality of each teaching staff, especially early childhood teachers who teach children at early age; there is an employee in every non-formal institutions who is in charge of the administration so that teachers are not occupied with the administrative stuff and focus on teaching.

BAI02 is a process that describes how Office X is able to define the needs of the sports facilities, and the management of these activities is in accordance with the company’s goals. Problems that occur in running this process is that the cause was already known and can be controlled by the company. Suggestions can be given to this process is that companies are recommended to create a system that can be used to input the required request (both for tools that are not yet available and request a replacement for broken tools). The official can easily access whether the request should be fulfilled or not. These systems can help shorten the time that it takes to serve the demand from the public.

BAI04 is a process that describes how the Office X can arrange the Cyber School facilities management processes in a more systematic and structured way. Suggestions that can be done to improve performance is to create a permanent program to manage the availability of facilities and infrastructures of Cyber School to which every school has so that the process management can be more structured; creating SOP, duties, and work plans which contain the details of the course of activities including the problems that occurred so as to receive future consideration; making a clear division of tasks for employees who are in charge so they can focus on completing the program in accordance with the specified deadlines; making activity report containing details of the activities including the problems occurred in order to be considered for the future; Re-examine the network used for the system used in the service so that it reduces the delay of work because the system cannot be used.

Suggestions that can be given for this process is that companies are advised that before preparing or providing a means for the management of Cyber School to school, schools are encouraged to prepare a qualified operator, in order to implement the program correctly. Socialization to the school must also be done so that every school is ready to operate Cyber School.

The explanation of Office X has met the requirements of the company’s resource with the most optimal way and in line with the economic cycle of the company. Management of resources has been done consistently so as to increase the percentage of the winner in PORSENIJAR.

Suggestions that can be done to improve performance is to conduct open meetings together with athletes and coaches to discuss strategy, in order to get the consideration of the athletes who understand the situation on the field so that the strategies can be made more accurately; Set the target of champions from every sport that still has disadvantages; increase the motivation of athletes with reward when they become the winner, but must be adapted to the budget that has been set; Periodic monitoring is carried out to ensure the strategies carried out can meet the targets set.

• VI. Conclusion

The audit process is one of the ways to see the original condition of the company, whether the processes run in the company have been carried out in accordance with the standards and meets the company’s expectations. There are many frameworks that can be used to perform an audit, one of which is COBIT 5. COBIT 5 is used because it has covered a wide enough range so that it can reach the issues raised in Office X. Unlike some researches that have been conducted before, this study uses the work indicators of a medium-term work plan that can be applied to Office X so that the problem can be focused on the work programs preferred by the company. Results of research conducted at Office X show that the capability level of the four processes audited which are APO07 (Manage human resources), BAI02 (Manage requirements definition), BAI04 (Manage availability and capacity), and EDM04 (Ensure resource optimization)

achieved by Office X was stopped at level 1 and thus require improvements and updates in order for so that the level reached is increased. Improvement of the evaluated work indicators is expected by implementing the suggestions given, such as adding some use of IT to processes whose performance is not yet optimal and improving ineffective processes.