p–ISSN: 2723 - 6609 e-ISSN: 2745-5254

Vol. 5, No. 9 September 2024 http://jist.publikasiindonesia.id/

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3716

Evaluation of IT Governance at Credit Union XYZ Financial

Institutions Using COBIT 5 Framework

Vinsensius Rekat

*, Gunawan Wang

Universitas Bina Nusantara, Indonesia

Email:

[email protected]

*, [email protected]

*Correspondence

ABSTRACT

Keywords: credit union

xyz, IT governance, cobit

5, recommendations,

capability level.

Since 2002, Credit Union XYZ has been utilizing

information technology in its lending operations. However,

the utilization of IT governance has not been optimal due to

various weaknesses, obstacles, and issues such as server

problems, downtime for maintenance, system change

requests, human resources, and recurring IT-related

problems. This research aims to assess the current IT

governance capabilities at Credit Union XYZ. The method

used is the COBIT 5 standard with a focus on the APO and

DSS domains tailored to the existing issues. Data were

collected through questionnaires distributed to the IT team

and relevant stakeholders. The selected COBIT 5 processes

include APO06 (Manage budget and costs), APO07

(Manage human resources), DSS01 (Manage operations),

DSS02 (Manage service requests and incidents), and DSS03

(Manage problems). The evaluation reveals a 1-level gap in

IT governance capabilities, with the current level at level 2

in Credit Union XYZ, while the target is level 3 in the future.

The researcher's recommendation to Credit Union XYZ is to

align IT processes with the standards and regulations

established by COBIT 5.

Introduction

Credit Union XYZ is one of the growing credit cooperatives at present. Established

on March 25, 1993, with an initial membership of 26 people, it has experienced rapid

development until now (Martin & Roychowdhury, 2015). As of December 2023, it has

had 73 branch offices serving 211,929 members. From 1993 to 2001, Credit Union XYZ

provided services and recorded transactions manually. Subsequently, computerized

systems were adopted from 2002 onwards. Despite the long-standing use of information

technology, its utilization is still perceived as suboptimal, prompting the need for further

evaluation due to various ongoing issues related to its implementation and governance at

Credit Union XYZ. These issues include non-standard server backup facilities, server

monitoring policy, prolonged downtime during IT asset problems, policies regarding

system requests, changes, and updates, human resources in the field of information

Evaluation of IT Governance at Credit Union XYZ Financial Institutions Using COBIT 5

Framework

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3717

technology, areas with poor signal coverage (blank spots), and recurring transaction

recording system issues at Credit Union XYZ (Rosenthal et al., 2010).

With the advancement of technology, the role of information technology becomes

increasingly crucial in supporting daily activities. (Jamesh & Prakash, 2018). Therefore,

efficient IT management is essential to ensure the security, reliability, and maximum

performance of Credit Union information systems. Rapid technological advancements

demand that Credit Union XYZ continuously strive to optimally utilize information

technology to remain relevant and competitive in the current era.

According to Nugrahanti, this competition drives every company to manage its

resources as optimally as possible to produce high-quality products and services that are

always available when needed. (Nugrahanti, 2015). IT Governance is a series of processes

to ensure the effective and efficient use of information technology to achieve the

organization's goals.

Credit Union XYZ, as a financial institution providing financial services to its

members, needs to continuously evaluate and improve its IT governance. This research

will explain the process of evaluating IT governance at Credit Union XYZ using COBIT

5. COBIT 5 provides a structured approach to managing and controlling IT, emphasizing

critical aspects such as compliance, security, and business value (Stockdale & Standing,

2006).

DOUGHT, 2015 also states that IT is an important part of the company and consists

of leadership and ensuring the organization's IT supports and expands its strategies and

goals (Doughty & Grieco, 2005). IT Governance will be the answer to ensuring that

investments in IT are aimed at providing maximum and beneficial results for the

institution. (Adikara, 2013). This research is expected to provide an in-depth

understanding of the maturity level of IT governance at Credit Union XYZ, identify areas

for possible improvement, and guide to enhance the efficiency and effectiveness of IT

management at Credit Union XYZ.

According to the Republic of Indonesia Law Number 10 of 1998 concerning

banking, "A bank is a business entity that collects funds from the public in the form of

deposits and channels them to the public in the form of loans and other forms to improve

the standard of living of the people" (Indonesia, 1998).

Based on the Financial Services Authority Regulation Number 11/POJK.03/2022

regarding the implementation of information technology by banks/financial institutions,

it is stated that the application of good IT governance applies to all units and functions of

banks in managing IT, and IT users. (Luthfah, 2024). In implementing good IT

governance, banks/financial institutions carry out at least the following activities:

1. Evaluation of strategic choices, direction of IT implementation strategies, and

monitoring of strategy achievement.

2. Alignment, planning, and organization of all units, strategies, and activities that

support IT implementation.

3. Definition, acquisition, and implementation of IT solutions and their integration into

Bank business processes.

Vinsensius Rekat, Gunawan Wang

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3718

4. Provision of operational IT service support to stakeholders; and

5. Monitoring performance and compliance of IT implementation with internal

performance targets, internal controls, and regulatory provisions.

According to the Republic of Indonesia Law Number 25 of 1992 concerning

Cooperatives, "A cooperative is a business entity consisting of individuals or legal entities

Cooperatives, based on cooperative principles as well as a people's economic movement

based on family principles" (Susetyo et al., 2024).

According to Government Regulation Number 9 of 1995 concerning the

Implementation of Savings and Loan Business Activities by Cooperatives, "Savings and

loan business activities are activities carried out to collect funds and channel them through

savings and loan business activities from and for the members of the respective

cooperatives, prospective members of the respective cooperatives, other cooperatives,

and their members" (Sembiring, 2006).

Based on the Regulation of the Minister of Cooperatives and Small and Medium

Enterprises of the Republic of Indonesia Number 11 of 2017 concerning electronic

service networks, "KSPPS and USPPS Cooperatives can develop electronic service

networks for savings and loan and Sharia financing businesses by utilizing information

technology" (KOPERASI & DAN, 2018).

Research Methods

COBIT 5 Framework

This research examines the condition of Information Technology (IT) governance

implemented by Credit Union XYZ using a capability model adapted from the COBIT 5

framework. (Syuhada, 2021). The main objective is to identify existing IT processes with

a particular focus on the APO and DSS domains.

Research Flowchart

In this research, the researcher collected data using a qualitative method based on a

case study approach. The research flowchart, as shown in Figure 2 :

Evaluation of IT Governance at Credit Union XYZ Financial Institutions Using COBIT 5

Framework

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3719

Figure 2. Research Flowchart

Based on Figure 2 above, here are the explanations for each stage of the research

framework:

1. Research Planning

This stage begins with collecting data and information regarding the IT governance

conditions at Credit Union XYZ through the use of primary data (observations and in-

depth interviews with selected informants) as well as the use of secondary data (literature

reviews and document studies) on the research object. This is done to identify the domain

processes in COBIT 5 that are selected according to the scope of the research needs.

2. Mapping Scenario

In this stage, mapping is carried out to align the strategic targets of Credit Union

XYZ with the goals of COBIT 5 to identify the strategic target needs. This phase aims to

obtain the processes that will be used as a reference for designing evaluation

questionnaires.

3. Capability Levels and GAP Analysis

In this stage, what will be done is to calculate the level of capability and perform

gap analysis by compiling and elaborating evaluation findings for each process in

Start

Stage 1: Research Planning

Literature

Review

Observation

Interviews

Stage 2: Mapping Scenario

Enterprise

Goals Target

Mapping

Enterprise Goals

To IT Related

Mapping IT

Related Goals

To Process

Preparation of

Questionnaires

Stage 3: Capability Level and GAP Analysis

Questionnair

Capabilit

y Level

Calculati

GAP

Analysi

Recommendati

Finish

Vinsensius Rekat, Gunawan Wang

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3720

domains APO06, APO07, DSS01, DSS02, and DSS03. The Process Assessment Model

(PAM) is a process assessment model within the COBIT 5 framework that applies a new

approach based on the International Organization for Standardization (ISO)/International

Electrotechnical Commission (IEC) 15504 (Almeida et al., 2018). There are 6 levels of

capability that each process can achieve, namely:

1. Level 0: Incomplete

At this level, the process is either not implemented or fails to achieve its objectives.

There is little to no achievement of the process.

2. Level 1: Performed

At this level, the process exists and achieves its process objectives.

3. Level 2: Manage

At this level, the processes have been executed and implemented in a more

organized manner and establish, control, and maintain the resulting products effectively.

4. Level 3: Established

At this level, IT implementation has utilized specific processes that have been

agreed upon and achieved outputs as expected.

5. Level 4: Predictable

At this level, processes have been executed within defined boundaries to achieve

process outputs as expected.

6. Level 5: Optimizing

At this level, there is continuous improvement of processes to ensure that current

and future business objectives can be met.

After the capability level assessment stage is completed, the next stage is to conduct

a gap analysis. This gap analysis is used to compare the current capability levels obtained

from the evaluation with the expected capability levels. GAP analysis is applied to each

selected domain process.

Results and Discussion

Enterprise Goals Target

In determining the company's objectives, reference is made to the COBIT 5 goal

cascade, which includes 17 overarching company goals grouped according to the

balanced scorecard dimensions. (Syuhada, 2021). To establish the company's objectives,

COBIT's company goals are identified and then aligned with the objectives of Credit

Union XYZ. (Deng et al., 2000). This process yields the mapping results of Credit Union

XYZ's objectives, as depicted in Figure 3.

Evaluation of IT Governance at Credit Union XYZ Financial Institutions Using COBIT 5

Framework

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3721

Figure 3 Mapping results of the objectives of Credit Union XYZ

Mapping Enterprise Goals To IT-Related Goals

The mapping illustrates how each objective related to IT is supported by processes

associated with COBIT 5 (Syuhada, 2021). Figure 4 shows the mapping results of

company objectives for IT-related targets, where P stands for Primary, indicating a

significant relationship where IT-related objectives are the main support for company

objectives. Meanwhile, S stands for Secondary, indicating a strong but less critical

relationship where IT-related objectives are secondary support for company objectives.

Determining whether the relationship is P or S refers to COBIT 5 processes (Syuhada,

2021).

Figure 4. Mapping result Enterprise Goals to IT-Related goals

Mapping IT-Related Goals To Process

Vinsensius Rekat, Gunawan Wang

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3722

Based on the mapping results previously conducted, 5 domain processes have been

identified with a primary scale where IT-related objectives are the main support for

company objectives. These 5 domain processes are APO06, APO07, DSS01, DSS02, and

DSS03 as shown in Figure 5 and Figure 6. When creating the questionnaire, reference is

made to the COBIT 5 processes, specifically PAM from ISACA (Almeida et al., 2018).

Figure 5 Mapping result IT-Related Goals to Process Domain APO.

Figure 6. Mapping Result IT-Related Goals to Process Domain DSS

Capability Level Measuring Process

Evaluation of IT Governance at Credit Union XYZ Financial Institutions Using COBIT 5

Framework

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3723

This stage involves assessing the selected domain processes, where each domain

process is checked gradually to determine if it meets the requirements at each level,

ranging from level 1 to 5. To meet the assessment criteria, there are category requirements

for each level. A process will be categorized as "Largely achieved (L)" if the score

obtained is between 50-80%, and if the score achieved is between 85-100%, the category

obtained is "Fully achieved (F)" (Syuhada, 2021).

The results of the capability level calculations are displayed in a graph illustrating

the capability level calculations, as shown in Figure 7. Figure 7 illustrates the results of

the capability level calculation for the APO and DSS domain processes as follows:

Level 2 with an attainment of 5, consisting of domains APO06, APO07, DSS01, DSS02,

and DSS03.

Figure 7. Capability Level Calculation Graph

From the graph of capability level calculations shown in Figure 7, a spider diagram

is then created to indicate the achieved capability levels, target capability levels expected,

and the gaps for each APO and DSS process assessed as depicted in Figure 8.

Figure 8. GAP Analysis Spider Web Diagram

Level 0 Level 1 Level 2 Level 3 Level 4 Level 5

Hasil Perhitungan Capability Level (Current)

APO06 APO07 DSS01 DSS02 DSS03

APO06

APO07

DSS01DSS02

DSS03

GAP Capability Level

Level Target GAP

Vinsensius Rekat, Gunawan Wang

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3724

Based on The calculation results of the 4 selected domain processes, they serve as

a reference to determine the gap analysis by first establishing the desired targets. The

results of the gap analysis are presented in Table 1.

Table 1

GAP Analysis Result

Process

Code

Process Description

Current

Capability

Level

Target

Capability

Level

GAP

Analysis

APO06

Manage budget and costs

APO07

Manage human resources

DSS01

Manage operation

DSS02

Manage service requests and

incidents

DSS03

Manage problems

Based on the above GAP analysis results, calculations are carried out to determine

the average Capability Level achieved in the IT function.

Capability Level = (0*1) + (1*0) + (2*5) + (3*0) + (4*0) + (5*0)

= 10

Capability Level = 2

Conclusion

Based on the analysis of Information System governance at Credit Union XYZ, it

can be concluded that the relevant COBIT 5 processes, including APO06, APO07,

DSS01, DSS02, and DSS03, are critical to addressing governance issues. Currently, the

average capability level for managing these Information Systems is at Level 2, while the

desired future target is Level 3, indicating a gap of 1 level that needs to be addressed.

Evaluation of IT Governance at Credit Union XYZ Financial Institutions Using COBIT 5

Framework

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3725

Bibliography

Adikara, F. (2013). Implementasi Tata Kelola Teknologi Informasi Perguruan Tinggi

Berdasarkan COBIT 5 pada Laboratorium Rekayasa Perangkat Lunak Universitas

Esa Unggul. SESINDO 2013, 2013.

Almeida, R., Lourinho, R., da Silva, M. M., & Pereira, R. (2018). A model for assessing

COBIT 5 and ISO 27001 simultaneously. 2018 IEEE 20th Conference on Business

Informatics (CBI), 1, 60–69.

Deng, H., Yeh, C.-H., & Willis, R. J. (2000). Inter-company comparison using modified

TOPSIS with objective weights. Computers & Operations Research, 27(10), 963–

973.

Doughty, K., & Grieco, F. (2005). IT governance: pass or fail. Information Systems

Control Journal, 2.

Indonesia, P. R. (1998). Undang-Undang Republik Indonesia Nomor 32 Tahun 1999

Tentang Perubahan Atas Undang-Undang Nomor 3 Tahun 1998 Tentang

Anggaran Pendapatan Dan Belanja Negara Tahun.

Jamesh, M. I., & Prakash, A. S. (2018). Advancement of technology towards developing

Na-ion batteries. Journal of Power Sources, 378, 268–300.

KOPERASI, K., & DAN, M. K. D. A. N. U. K. (2018). Peraturan Menteri Koperasi dan

Usaha Kecil dan Menengah Republik Indonesia. Nomor.

Luthfah, D. (2024). Penguatan Keamanan Siber Pada Sektor Jasa Keuangan Indonesia.

Jurnal Penelitian Dan Karya Ilmiah Lembaga Penelitian Universitas Trisakti, 259–

267.

Martin, X., & Roychowdhury, S. (2015). Do financial market developments influence

accounting practices? Credit default swaps and borrowers׳ reporting conservatism.

Journal of Accounting and Economics, 59(1), 80–104.

Nugrahanti, F. (2015). Perancangan sistem informasi inventory sparepart mesin fotocopy

dengan menggunakan visual delphi 7. STT Dharma Iswara Madiun, 2(9).

Rosenthal, A., Mork, P., Li, M. H., Stanford, J., Koester, D., & Reynolds, P. (2010).

Cloud computing: a new business paradigm for biomedical information sharing.

Journal of Biomedical Informatics, 43(2), 342–353.

Sembiring, S. (2006). Himpunan ketentuan tentang Badan Usaha Koperasi dan Usaha

Kecil: UU No. 25 tahun 1992 tentang Perkoperasian dan UU No. 9 tahun 1995

tentang Usaha Kecil. Nuansa Aulia.

Stockdale, R., & Standing, C. (2006). An interpretive approach to evaluating information

systems: A content, context, process framework. European Journal of Operational

Vinsensius Rekat, Gunawan Wang

Jurnal Indonesia Sosial Teknologi, Vol. 5, No. 9, September 2024 3726

Research, 173(3), 1090–1102.

Susetyo, B., Susilawati, A. D., Yunita, E. A., Herwinarni, Y., Amalia, M. R., & Wiyanti,

S. (2024). Pelatihan Pengelolaan Bagi Anggota Koperasi Pegawai Republik

Indonesia (Kpri) Sejahtera Dinas Pendidikan Kota TegaL. Jurnal Pengabdian

Kolaborasi Dan Inovasi IPTEKS, 2(2), 505–512.

Syuhada, A. M. (2021). Kajian Perbandingan Cobit 5 dengan Cobit 2019 sebagai

Framework Audit Tata Kelola Teknologi Informasi. Syntax Literate; Jurnal Ilmiah

Indonesia, 6(1), 30–39.