Jurnal Sistem Informasi Bisnis 02(2024)

Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587

On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

IT Governance Design in XY University using COBIT 2019

Framework
Willson Mangoki*, Danny Manongga, Ade Iriani

Faculty of Information Technology, Satya Wacana Christian University, Indonesia

Submitted: January 5th, 2024; Accepted: March 3rd, 2024

DOI:10.21456/vol14iss2pp111-122

Abstract

The management and control of information and technology at the university were required for IT's finest use, but
in line with organization goals, they can be realized with the use of IT governance. This research uses a qualitative
approach with techniques such as interviews, observation, expert judgment, and literature studies that are relevant
to the concept of IT governance with the COBIT framework and its application in various fields. This research
presents an IT governance design that is considered suitable to be applied at XY University using COBIT 2019
Framework. 10 design factors and 40 IT processes listed in COBIT 2019 are used as parameters. The results
obtained from four processes with scores ranging from 50 to 100 with capability levels 3 and 4, namely APO04-
Managed Innovation, APO03-Managed Enterprise Architecture, APO07-Managed Human Resources, and BAI07-
Managed IT Change Acceptance and Transitioning, are translated into recommendations for actions that need to
be taken in implementing IT governance.

Keywords: IT Governance; University; COBIT 2019

1. Introduction governance standards or set of regulations related to

the use of IT have been found. The current IT
Currently, information technology plays an development at XY University in terms of the
important role in educational institutions such as Ministry of Research, Technology, and Higher
universities. In order to optimize IT in the field of Education regulations needs to be organized in a
education, the Ministry of Research, Technology, and framework in the form of governance in the use of
Higher Education, through Permenristekdikti No. 62 technology and information, which is then called IT
of 2017, stipulates regulations on information governance (Salegar and Rizal, 2020). IT governance
technology governance covering the scope of higher includes identifying, establishing, and linking
education (Permenristekdikti No 62 Tahun 2017, mechanisms within IT to manage risks while at the
n.d.), as a guideline for the implementation of good same time ensuring system performance in line with
governance through e-government for each the goals that the organization wants to achieve
organizational unit so that the use of IT, which covers (Saputra and Redo, 2021; Asterinadewi and Handoko,
planning, spending, and investment management, 2018). Building IT in an organization is certainly
realization, operation, and system management, is expected to provide value that is useful for the
carried out within an accountability framework. XY institution, considering the investment made
University makes IT a part of services in the field of (Lompoliu et al., 2022). Many frameworks have been
education, as stated in the Master Plan for System developed to assist in implementing IT governance,
Development and Information Technology (Ripsti) one of which is COBIT 2019 (Harits et al., 2022).
2020–2025. Furthermore, XY University's 2020–2025 COBIT 2019 regulates IT governance by focusing on
Strategic Plan (Renstra) determines the focus for the organizational needs and a series of design factors by
current management period, one of which is on adjusting and prioritizing governance system
improving governance at the university level and components to suit the characteristics of the institution
faculty level. (Wabang et al., 2021).
As of currently, XY University's use of IT has only This study uses a qualitative approach to data
focused on administration and lectures, while other collecting, which is done by interviewing people who
processes have not been implemented and/or are in the have knowledge of the research topic and by looking
process of being digitized to use information systems at the case study. While observations were made by
(Gallaran et al., 2022). In the observations made, no closely observing the business processes taking place
in the organization as well as documents related to the
*) Corresponding author: [email protected] research topic in the case study, interviews were also

111
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

conducted to ascertain the perspectives of control resources related to technology and

stakeholders regarding the current and future information to support the goals and strategies of the
conditions, goals, and strategies of XY University. organization (Samsinar and Sinaga, 2022).
The COBIT framework's use in the academic
sector is covered in research by Murad et al. (2018). 2.2. COBIT
They applied COBIT for their research, concentrating COBIT (Control Objectives for Information and
on the EDM (Evaluate, Direct, and Monitor) domain. Related Technology) is a framework for the
The decision to choose this domain is based on the governance and management of information and
requirements, circumstances, and stakeholder choices technology aimed at all companies developed by
so that current IT can function in line with ISACA (Information System and Control
organizational objectives. In this study, several Association) (Bernika and Nuryana 2021; Haster and
procedures, including conducting interviews, Hartomo, 2022). IT in the company is all
establishing roles, and assessing the level of technological and information processing carried out
capability, produced an analysis of the organizational by the company to achieve goals, regardless of the unit
capability and suggestions for improving the IT that carries out the process (Saleh et al., 2021). In other
management process. words, IT in an organization is not limited to the IT
Similar research was also conducted by Gunawan department of the organization (ISACA, 2018b).
et al., (2018) and Alonso et al., (2020), by using COBIT 2019 distinguishes between governance and
COBIT as an IT governance framework in higher management. These two disciplines cover different
education institutions. The results of this study take activities, require different organizational structures,
the form of IT governance system suggestions, and are for different purposes. COBIT defines the
capacity evaluations, and references to the COBIT 5 components for building and maintaining a
EDM domain. governance system in the form of processes,
Research on IT governance with the COBIT organizational structure, policies and procedures,
2019 framework by Wabang et al., (2021) to analyze information flow, culture and behavior, and skills in
IT governance related to academic services in the leading the organization (Fadhilah et al., 2021).
research object. Enterprise goals are set as design
factors then the analysis is carried out by measuring 2.3. COBIT 2019
the maturity level of IT management with the COBIT COBIT 2019 has a framework covering five
2019 standard to identify the current state of IT domains in the governance area to ensure that the
governance, as well as analyzing the gaps that occur needs, circumstances, and choices of stakeholders are
to improve IT governance and formulating interpreted to determine balanced and agreed-upon
recommendations for improvements to IT governance corporate goals (Sipayung et al., 2022), determine the
and management to achieve organizational goals or direction of the company by prioritizing and making
the expected level of maturity. decisions, and also monitoring performance, and
This study uses the University's Strategic Plan and adherence to agreed-upon directions and goals
IT Development Plan which shows the University's specifically for the EDM domain (Audia and
actual issues and priorities, as a measure for designing Sugiantoro, 2022). In the management area, it is the
a more accurate IT Governance model. In contrast to planning, construction, implementation, and
prior studies that centered on a single domain, this monitoring of activities in line with the direction set in
study offers a novel approach based on the COBIT the governance section to achieve company goals.
2019 design tools and applied COBIT 2019 domains This area consists of the APO (Align, Plan, and
tailored to university issues, rather than just focusing Organize), BAI (Build, Acquire, and Implement),
on the needs of a particular division. Therefore, this DSS (Deliver, Service, and Support), and MEA
study aims to present an IT governance design that is (Monitor, Evaluate, and Assess) domains (Legowo
suitable to be applied at XY University by using and Christian, 2019; Yasin et al., 2020). The
COBIT 2019 framework. application of the COBIT 2019 framework differs
from one company to another because, in practice, the
2. Literature Review application of COBIT 2019 is highly dependent on the
characteristics and needs of each company, so
2.1. Governance governance guidelines in one company cannot be the
Governance is a system and process to ensure standard for governance guidelines in other
accountability and transparency in an organization companies. The overall governance and management
(Wabang et al., 2021).Therefore, IT governance is areas and their domains are shown in Figure 1.
defined as the authority and responsibility to
determine decisions that encourage the behavior of
technology and information utilization in
organizations (Murad et al., 2018). Furthermore, IT
governance can be interpreted as an instrument to

112
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

strategy, which are then translated into business

objectives, IT objectives, and IT processes using the
COBIT 2019 framework (Lestari et al., 2022). The
next stage of identifying findings involves using the
expert judgment method to obtain a more accurate
assessment. Recommendations are made from the
findings for the IT governance process. In the final
stage of the analysis process, the design factor is
obtained (Nurcahya et al., 2022) which correlates with
IT governance in the case study and becomes an IT
governance design that is hopefully compatible with
the existing conditions to be achieved by XY
University (Anastasia and Atrinawati, 2020). The
detailed research stages are shown in Figure 3.
Figure 1. COBIT 2019 Core model
University s
2.4. Capability Level Data Collection RENSTRA &
The capability level is measured by how well a RIPSTI
process is implemented and executed. The process
refers to the activities contained in the governance and Interview and
management objectives (ISACA, 2018a). A process Data Analysis
Literature Review
reaches a set capability level if all activities at that
level are successfully fulfilled. The scale used is 0 to
5 (Saridewi et al., 2018). In more detail, the scale at
IT Alignment IT Processes
the capability level can be seen in Figure 2. Enterprise Goals
Goals Alignment

Design Factors

Design and
Modelling

University IT
Governance
Design

Figure 3. Research Stages

Figure 2. Capability Level
The explanation of the research stages based on
3. Method
Figure 3 above is as follows:
This research uses a qualitative descriptive 1) Alignment of Enterprise goals, IT Goals, and IT
processes
method. This method is carried out by collecting data
The 2019 COBIT framework's IT governance
first, then clarifying, analyzing, and interpreting it to
obtain a clearer picture of the research object (Riadi et design requirements provide the foundation for
al., 2018). The initial stage in this research is data this stage. Understanding the enterprise strategy,
collection by document observation (Safitri et al., enterprise goals, risk profile, and IT-related
2021). The documents examined were the Strategic concerns is the key goal of this stage. To
comprehend the organization's strategy, the
Plan and Ripsti 2020–2025 of XY University,
purposed outcomes, and the actual status of IT in
obtained from the research site stakeholders. The
document contains, among others, the mission, vision, the organization, the vision, purpose, and
and university's strategy to develop quality over a 5- organizational goals as described in the document
year period. In addition to observations on documents, and observe the business processes that are in
operation must be examined.
observations were made on existing business
2) Identify IT governance design factors
processes at the case study site to understand the
process flow in a more structured manner, coupled Using the COBIT 2019 toolbox, this step
with literature studies from relevant research. After all serves to define the scope of the governance
the necessary data is collected, an initial analysis is system design by taking into account Design
carried out by looking at the mission, vision, and Factors (DF) 1 through 10 (Tulus and Tanaamah,
2023). Enterprise strategy, enterprise goals, risk

113
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

profile, IT-related concerns, threat landscape, and select the domain to be analyzed using the
compliance standards, the function of IT, source Goals Cascade method as shown in Figure 4.
model for IT, IT implementation techniques, and
technology adoption strategy make up the design Stakeholders
Drivers and
element. Additionally, it is decided which DF shall Needs
be applied as well as its value. The degree of Enterprise
governance and management objectives is the Goals
conclusion of this assessment. Alignment
3) IT governance design results Goals
Governance
The IT governance system design is completed and
at this level using all the results from the preceding Management
procedure. The procedures in question involve objectives
combining all the data from the earlier processes Figure 4. COBIT 2019 Framework Goals Cascade
to conclude the DF. The governance that emerges
must reflect the evaluation of each DF. This The Goals Cascade in Figure 4 shows how the
approach enables deriving conclusions in the form process of identifying stakeholder needs derived
of an IT governance system design based on the into agency business goals (enterprise goals) and
phases of creating an IT governance system to IT implementation goals (alignment goals), which
create a recommendation to stakeholders at XY result in IT governance and management
University. objectives. Based on this process, an IT
governance design is implemented at XY
4. Result and Discussion University using the steps contained in the Design
Factors (DF) COBIT 2019.
4.1. Result 2) DF 1: Enterprise Strategy
IT at XY University plays an important role in Each institution has its strategy in the strategic
various aspects. From the interviews conducted, it was development plan. As in COBIT 2019, this
found that IT can support and develop campus development plan is categorized into four types
performance and services. Seeing the development of according to the focus of the goals set, namely
technology to date, universities are trying to adapt to where the company or agency focuses on growth
the use of information systems and technology, and development (growth/acquisition), focuses on
especially in academics and services related to the providing something new in terms of goods and
needs of the academic community. In this IT services (innovation/differentiation), focuses on
implementation, BAPSI plays a role as a party directly minimizing the use of finance in the long run (cost
related to the development and implementation of IT leadership) and focuses on providing reliable
within the scope of the campus. The information services (client service/stability). The analysis of
systems used today are not fully developed internally, the XY University strategy based on the Strategic
but some are distributed by the Directorate of Higher Plan and RIPSTI is as shown in Table 1.
Education (Dikti) and by vendors.
The existing IT resources at the university are Table 1. XY University Strategy
centered on the services of the Academic Value Importance (1-5)
Administration Bureau and lectures. As for further Growth/acquisition 5
development plans, it is expected that the information Innovation/Differentiation 4
Cost Leadership 1
system under development can fulfill the needs of all Client Service/Stability 2
fields. The focus on the availability of this service will
be categorized into three systems that integrate three Table 1. above shows that XY University has a
fields: admissions, finance, and academics. The three strategy that focuses on growth/acquisition
bureaus will be synchronized through an integrated compared to innovation. This is because
line to create a digital-based campus. User adaptation universities are entities in the field of education
to the new information system requires an educational that always process and adjust to the current
process so that all elements involved can familiarize development of science and technology.
themselves with the changes in business processes that 3) DF 2: Alignment of Enterprise Goals to Alignment
occur. Therefore, to understand the purpose and value Goals
of implementing IT as a whole, IT governance goes The next stage is DF 2, namely Alignment of
through the following: Enterprise Goals to Alignment Goals, which aims
1) Mapping COBIT 2019 Domains to align institutional goals with IT goals. The
The initial stage before designing IT purpose of XY University in higher education in
governance at XY University is to map the Indonesia is to create human resources who have
domains contained in the 2019 COBIT framework God-fearing characters, academic abilities, and
creative abilities, develop and apply science,

114
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

technology, and art, disseminate science, No. Alignment Goals Relation

technology, and art for the benefit of the
AG04 Quality of technology related Primary
community's life and national culture, and create financial information
higher education and higher education AG05 Delivery of IT services in line with Secondary
management through best educational practices. business requirements
The business objectives in the 2019 COBIT AG06 Agility to turn business Secondary
requirements into operational
Framework Balanced Scorecard (BSC) selected solutions
based on information contained in the Strategic AG07 Security of information, processing Secondary
Plan and RIPSTI in the form of strategies and infrastructure and applications
priorities in areas at the university level and the AG08 Enablement and support of Primary
business processes by Integrating
number of budgeted funds. Direct field applications and technology
observations were carried out to find out and verify AG09 Delivery of programs on time, on Primary
the ongoing conditions of the business processes. budget, and meeting requirements
In the end, interviews were conducted with the and quality standards
AG10 Quality of IT Management Primary
heads of academic administration, finance, human Information
resources, the quality assurance agency, and the AG12 Competent and motivated staff with Secondary
information system development section so that mutual understanding of
the determination of enterprise goals was more technology and business.
AG13 Knowledge, expertise and Primary
accurate (EG01, EG04, EG05, EG06, EG07, initiatives for business innovation
EG08, EG10, EG12, and EG13).
4) DF 3: Risk Profile
Table 2. Enterprise Goals (EG) Universitas XY
Based on the 2019 COBIT framework, DF 3 is
No. Enterprise Goals BSC Relationship a continuing risk at XY University related to
EG01 Portfolio of Financial Primary technology and information. Based on the severity
competitive products of the issue, its effects, and its likelihood of
and services occurring, these hazards are recognized and given
EG04 Quality of financial Financial Secondary
information
points. Table 4 displays the risk profile at XY
EG05 Customer-oriented Customer Secondary University.
service culture
EG06 Business service Customer Primary Table 4. Risk Profile Universitas XY
continuity and
Impact Likelihood
availability Risk Scenario Category Risk Rating
(1-5) (1-5)
EG07 Quality of Customer Primary
management IT investment decision 4 3 High Risk
information making, portfolio
EG10 Staff skills, motivation Internal Primary definition &
and productivity maintenance
EG12 Managed digital Growth Primary Program & projects life 3 2 Normal Risk
transformation cycle management
programs IT cost & oversight 3 4 Very High Risk
EG13 Product and business Growth Primary IT expertise, skills & 4 4 Very High Risk
innovations behavior
Enterprise/IT 5 3 High Risk
architecture
The mapping of business objectives into the IT operational 4 2 Normal Risk
corresponding IT objectives is done by mapping infrastructure incidents
EG and Alignment Goals (AG). The IT goal to be Unauthorized actions 3 2 Normal Risk
Software 5 3 High Risk
achieved by XY University is the integration of
adoption/usage
information within the university environment. problems
Mapping of IT goals is carried out with 13 Hardware incidents 2 2 Normal Risk
perspectives of IT goals in 4 dimensions in BSC, Software failures 5 2 Normal Risk
Logical attacks 2 1 Low Risk
namely customers, financial, internal, and growth,
(hacking, malware,
contained in the 2019 COBIT framework obtained etc.)
Alignment Goals (AG03, AG04, AG05, AG06, Third-party/supplier 3 2 Normal Risk
AG07, AG08, AG09, AG10, AG12, and AG13) as incidents
Noncompliance 1 1 Low Risk
shown in Table 3.
Geopolitical Issues 2 2 Normal Risk
Industrial action 1 1 Low Risk
Table 3. Enterprise Goals (EG) to Alignment Goals Acts of nature 3 3 High Risk
(AG) Technology-based 5 3 High Risk
innovation
No. Alignment Goals Relation Environmental 2 3 High Risk
AG03 Realized benefits from IT-enabled Secondary Data & information 4 3 High Risk
investments and services portfolio management

115
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

Based on interviews and observations made in IT-Related Issue

Importance
Rating Issue
IT-related fields, Table 4 represents problems that (1-3)
IT-enabled changes or 2 Issue
XY University may be facing. Crucial things that projects frequently failing to
need consideration are divided into three groups, meet business needs and
where the main priority is on risk profiles with delivered late or over budget
very high risks, such as IT expertise, skills, Reluctance by board 2 Issue
members, executives or senior
behaviors, and IT costs and oversight. Meanwhile, management to engage with
several high risks issues need attention, such as IT, or a lack of committed
enterprise and IT architecture, software adoption business sponsorship for IT
and usage problems, and data and information Complex IT operating model 2 Issue
and/or unclear decision
management. This mapping can be a reference for mechanisms for IT-related
mitigating IT-related risks. decisions
Excessively high cost of IT 1 No Issue
5) DF 4: Information and Technology Related Issues Obstructed or failed 3 Serious Issue
implementation of new
(I&T-Related Issues) initiatives or innovations
In DF 4, issues about the utilization of IT at XY caused by the current IT
University are described. The problems used in DF architecture and systems
4 are IT-related problems that XY University Gap between business and 1 No Issue
technical knowledge, which
typically encounters. Additionally, mapping is leads to business users and
carried out by contrasting current problems with information and/or
XY University settings. The mapping outcomes technology specialists
are displayed in Table 5. speaking different languages
Regular issues with data 1 No Issue
quality and integration of data
Table 5. I&T-Related Issues Universitas XY across various sources
Importance High level of end-user 1 No Issue
IT-Related Issue Rating Issue
(1-3) computing, creating (among
Frustration between different 1 No Issue other problems) a lack of
IT entities across the oversight and quality control
organization because of a over the applications that are
perception of low contribution being developed and put in
to business value operation
Frustration between business 1 No Issue Business departments 2 Issue
departments (i.e., the IT implementing their own
customer) and the IT information solutions with
department because of failed little or no involvement of the
initiatives or a perception of enterprise IT department
low contribution to business (related to end-user
value computing, which often stems
Significant IT-related 2 Issue from dissatisfaction with IT
incidents, such as data loss, solutions and services)
security breaches, project Ignorance of and/or 1 No Issue
failure and application errors, noncompliance with privacy
linked to IT regulations
Service delivery problems by 2 Issue Inability to exploit new 3 Serious Issue
the IT outsourcer(s) technologies or innovate
Failures to meet IT-related 1 No Issue using I&T
regulatory or contractual
requirements
Regular audit findings or 1 No Issue From Table 5. above, four serious issues
other assessment reports related to IT at XY University were identified.
about poor IT performance or These results are based on interviews with bureaus
reported IT quality or service related to the use of IT in the campus environment.
problems
Substantial hidden and rogue 2 Issue The first serious issue, namely duplication or
IT spending, that is, IT overlaps between initiatives or other forms of
spending by user departments wasted resources, is an issue that arises from the
outside the control of the use of resources (hardware and software) that are
normal IT investment
decision mechanisms and not maximized; this is one of the causes of
approved budgets efficiency and effectiveness in administrative
Duplications or overlaps 3 Serious Issue activities and unsatisfactory lectures, so this issue
between various initiatives, or needs to be followed up.
other forms of wasted
resources Insufficient IT resources, staff with inadequate
Insufficient IT resources, staff 3 Serious Issue skills, or staff burnout/dissatisfaction are the other
with inadequate skills or staff issues that are crucial due to the lack of human
burnout/dissatisfaction resources in IT management in the related bureau.

116
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

From interviews with those who handle HR and In Figure 6, the level of compliance with
IT, it was found that the current workload owned applicable regulations is at the Normal stage with
by the IT bureau and the lack of staff in handling a percentage of 90%, while the other 10% demand
IT makes planning, managing, and repairing IT a high level of compliance referring to government
infrastructure in the campus environment regulations and the ministry of education in the
constrained. Procurement of human resources that implementation of higher education.
goes straight with the infrastructure procurement
process in the IT bureau can maximize the Design Factor 6 Compliance Requirements
availability and stability of IT-related services and
High Normal Low
optimize synergies with other bureaus.
Obstructed or failed implementation of new
0% 10%
initiatives or innovations caused by the current IT
architecture and systems is the third serious issue
identified. One of the obstacles to digitizing
business processes arises from the IT architecture,
which is still insufficient for implementing the
system. The plan to implement an integrated
information system, planned to start in 2021, is
90%
constrained by several things, one of which is the
availability of infrastructure that is still inadequate.
This issue is related to the previous issue regarding
Figure 6. Compliance Requirements
the lack of human resources, so the process of
planning and procuring supporting infrastructure 8) DF 7: Role of IT
for implementing an integrated information system The identification results of DF 8 in Figure 7
is hampered and has an impact on the running of show the role of IT at XY University. Turnaround
IT services in the campus environment. is given a value of 5, with the role of IT seen as a
The inability to exploit new technologies or driver in innovating the current administrative and
innovate using I&T is the fourth crucial issue, academic processes. Factory is given a value of 3
especially in education. The implementation of the considering the direct impact that can be felt by the
latest technology is one of the key factors in university on the continuity and sustainability of
accelerating the absorption and development of business processes and services. Strategic is given
knowledge; therefore, universities must be able to a value of 2 because there is no critical dependence
adapt and innovate using IT. on IT for the sustainability of existing business
processes, or, in other words, business processes
6) DF 5: IT Threat Landscape can still be carried out manually. The support
DF 5 is used as a method to assist in aspect is given a value of 1, considering that the
identifying threats that may be harmful to expected role of IT is not only seen as limited
University X. Based on the interview results, it was support in providing services to users but also
found that 80% of IT-related threats are considered encouraging changes and quality improvements at
normal, while 20% of high-risk threats occur due XY University as a whole.
to human error or system failure, as shown in
Figure 5. Design Factor 7 Role of IT (Input)
0 1 2 3 4 5
Design Factor 5 IT Threat Landscape
Support 1
High Normal
Factory 3

20% Turnaround 5

Strategic 2

Figure 7. Role of IT
80%
9) DF 8: Sourcing Model for IT
The Sourcing Model for IT in DF 8 is a method
of managing IT management resources. As shown
Figure 5. IT Threat Landscape in Figure 8, insourcing is the most dominant
7) DF 6: Compliance Requirements approach used in the management of IT at the
university, with a percentage of 80% for IT-related

117
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

systems and infrastructure, while outsourcing is

Design Factor 10 Technology Adoption
20% for supporters and third parties who Strategy
collaborate with XY University, such as banks
related to the financial section and ISPs for internet First mover Follower Slow adopter
service providers to run the system.
0%
DESIGN FACTOR 8 IT SOURCING MODEL 20%
(INPUT)

Outsourcing Cloud Insourced

20%

0% 80%

Figure 10. Technology Adoption Strategy

80%
4.1. Discussion

Step 2 Initial Design

Figure 8. Sourcing Model for IT
Governance and Management Objectives
10) DF 9: IT Implementation Method Importance
The IT implementation method at XY -100 -50 0 50 100
University is identified with the IT implementation EDM01 -15
method in DF 9. From Figure 9, 80% of the total EDM02 20
percentage is identified in the traditional method, EDM03 -45
where software development and operation run EDM04 20
EDM05 -20
separately. The Agile method, with a total of 20%, APO01 0
weighs the suitability of continuous system APO02 55
development. APO03 65
APO04 100
APO05 50
Design Factor 9 IT Implementation Methods APO06 -10
APO07 30
APO08 35
Agile DevOps Traditional APO09 0
APO10 -25
APO11 0
APO12 -35
APO13 -70
20% APO14 -20
BAI01 60
BAI02 20
0% BAI03 5
BAI04 -25
BAI05 65
BAI06 10
BAI07 15
BAI08 50
80% BAI09 -20
BAI10 -5
BAI11 15
DSS01 -20
DSS02 -30
Figure 9. IT Implementation Method DSS03 5
DSS04 -40
11) DF 10: Technology Adoption Strategy DSS05 -55
DSS06 -35
The technology adoption strategy is a strategy
MEA01 -20
used by XY University to adapt technology, or IT, MEA02 -30
as shown in Figure 10. Based on the identification MEA03 -80
carried out, it is known that XY University is more MEA04 -35
inclined towards slow adapters compared to
followers, where the technology currently adopted Figure 11. Initial Design of Governance and
has been used for a long time by other universities. Management Objective

118
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

As seen in Figure 11, the inputs gathered from DFs Based on the results shown in Figure 12, there are
1 through 4 are combined to provide a preliminary 40 processes with their respective scores based on the
perspective of the governance design. Figure 10b input from the existing DF. The significance level of
illustrates how the procedure is carried out with DF 5 the processes in the governance design is represented
to 10 until the desired results are reached. The results by positive values, while processes with negative
show the goal capability level as well as the key model values tend to be less significant or insignificant.
processes that are deemed important with a priority APO04 (Managed Innovation) with a final score of 80,
level. The intended capability level is 2 if the score is is the process with the highest level of significance,
25 or more, level 3 for a score of 50 or more, and level followed by APO03 (Managed Enterprise
4 for a score of 75 or more, according to COBIT 2019, Architecture) with a final score of 50, BAI08
which explains that the priority level of a process is (Managed Knowledge) at 45, APO02 (Managed
defined by the quantity of score shown. Strategy) at 40, and BAI01 (Managed Programs) and
BAI05 (Managed Organizational Change) at 35.
Governance and Management Objectives
Importance (All Design Factors) Table 6. XY University Target Capability Level
Target
-100 -50 0 50 100 Governance/Management
Reference Capability
Objective
EDM01 -50 Level
EDM02 0 APO02 Managed Strategy 2
EDM03 -85
APO03 Managed Enterprise Architecture 3
APO04 Managed Innovation 4
EDM04 0 APO07 Managed Human Resources 3
EDM05 -35 BAI01 Managed Programs 2
APO01 -30 BAI05 Managed Organizational Change 2
APO02 40 BAI06 Managed IT Changes 2
APO03
Managed IT Change Acceptance
50
BAI07 and Transitioning 3
APO04 80 BAI08 Managed Knowledge 2
APO05 20
APO06 -30
The highest score indicates that the target
APO07 0
capability level is at level 4. COBIT 2019 itself is not
APO08 15
recommended for implementing capability targets at
APO09 -60
the highest level (level 5) because it is difficult to
APO10 -90
define and almost impossible to implement in the
APO11 -25
APO12
shortest possible time. In Table 6, the target capability
-95
APO13 -90
level is set according to the score of each process in
APO14 -65
Figure 10, followed by adjustments based on
BIA01 35
interviews and documents on the strategic plan and
BAI02 0
information system development design of XY
BAI03 -30 University. The adjustment was made by giving a
BAI04 -50 score of 50 to the APO07 process, as well as BAI06
BAI05 35 and BAI07, with a score of 75. The increase in scores
BAI06 -30 on the four processes was carried out by considering
BAI07 -15 the urgency of the existing processes and their
BAI08 45 expected impact.
BAI09 -25 APO04, with a target capability level of 4, is
BAI10 -30 calculated to manage a framework that has the
BAI11 -10 potential to generate innovation and ideas to improve
DSS01 -40 the effectiveness and efficiency of IT operations. To
DSS02 -50 achieve innovation through the application of IT, it is
DSS03 -10 necessary to consider mechanisms and work culture as
DSS04 -60 well as a deeper understanding of those who manage
DSS05 -70 and operate technology to problems that occur in
DSS06 -50 business processes or process constraints where
MEA01 -100 innovation with IT can create solutions or
MEA02 -45 opportunities. Just below the target capability level 4,
MEA03 -95 namely level 3, there are several processes at that
MEA04 -45
level.
APO03 is concerned with improving alignment,
Figure 12. Governance and Management Objective
effectiveness, information quality, and cost efficiency
Importance by establishing standards, guidelines, and procedures
in a common architecture consisting of business

119
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

processes, information, data, applications, and Reference Description

technology architecture. This architecture is the basis 4. Conduct post-implementation monitoring
of IT resources to ensure the level of user
and target in line with the strategy of University X and adaptation (lecturers, staff, and students).
IT. APO07 relates to optimized, planned, and 5. Conduct training related to the use of IT to
evaluated recruitment, acquisition, and development increase innovation in facilitating business
of human resources (both internal and external) with a processes that run at XY University.
APO07 1. Make a labour augmentation plan
structured approach. BAI07 relates to managing IT according to priority.
change and its transition by implementing solutions 2. Conduct performance evaluations to
safely and in accordance with agreed expectations and determine the number of human resources
outcomes, which include implementation planning, required.
3. Organize systematic and periodic training
system and data conversion, testing, communication, to improve the quality of human resources.
release preparation, promotion of new business BAI01 1. Create a plan that includes the resources
processes and IT services, and post-implementation and costs required for the implementation
evaluation. of the new information system.
2. Supervise and control the process of
Processes that are prioritized for XY University implementing the new information system
are in the APO and BAI domains because the scores and create documentation.
are above the range of 50 to 100 and the target 3. Create information system mitigation
capability level is at levels 3 and 4. Processes with guidelines and a post-implementation
evaluation.
scores below 50 do not mean can be ignored, but they BAI05 1. Establish rules for business process
are not prioritized for XY University in implementing changes that must be done digitally.
IT governance. Furthermore, the APO domain focuses 2. Provide training on digital business
on planning, adjusting, and managing the overall processes to raise awareness of the ease and
efficiency they bring.
organization, strategy, and support activities for IT, BAI06 1. Analyse any feedback received on
while the BAI domain focuses on the development and leasehold replacement requests, categorize,
implementation of information systems and their evaluate impacts, and mitigate.
integration in business processes, considering 2. Make plans and proposals for IT
infrastructure replacement based on
stakeholder needs and encouraging all parties to priority and urgency.
achieve the goals and vision of the established 3. Create documentation after the IT
mission. The recommendations needed to achieve the infrastructure change to see the suitability
capability targets are described in Table 7. of the results obtained.
BAI07 1. Create a detailed IT resource
implementation plan.
Table 7. Recommendations 2. Audit the system and data conversion
Reference Description process.
APO02 1. Identify and reference existing regulations 3. Create a user manual for the new
from both the government and other related information system.
agencies to be able to determine operational 4. Conduct post-implementation assistance.
standards. BAI08 1. Create documentation of training materials
2. Provide the IT resources needed to support that can be accessed by HR to support skill
service development and performance and competency development.
efficiency in each unit. 2. Cultivate the sharing of information and
3. Create feedback on the use of existing knowledge between HR, such as solutions
infrastructure so that it is appropriate. if there are system constraints and
4. Establish work guidelines for each unit for innovations that can be done through the
the division of roles and responsibilities system.
among individuals per their positions. 3. Provide digital information resources about
5. Create a risk mitigation strategy related to XY University's business processes by
the use of IT at XY University. determining the level of access according to
APO03 1. Evaluate the course of IT resource the user.
procurement and RIPSTI to ensure IT
implementation targets are on track.
2. Establish service standards for the facilities 5. Conclusion
and infrastructure of XY University,
especially in the IT field. Based on the results of data analysis using the
3. Establish a general architecture as a COBIT 2019 framework, an IT governance design
reference in IT implementation.
APO04 1. Evaluate the current business processes to suitable to be used at XY University was obtained.
find out which have not been digitized. Recommendations that are provided concerning
2. Make evaluations related to the use of IT factors which may be useful in selecting the most
infrastructure and analyse the current IT crucial processes in implementing the research result
developments to find technologies that can
be applied in the business processes of XY based on the capacity level to help the institution meet
University. its objectives. The university will be able to control
3. Conducting cooperation and coordination information technology with effective and efficient
with other universities in the IT field as a procedures that may enhance the quality of education
means of exchanging information and
developing infrastructure and services. and services by using proposed IT governance design.

120
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

Acknowledgments IOP Conference Series: Materials Science and

Engineering, 420. https://doi.org/10.1088/1757-
The author is grateful to those who have 899X/420/1/012108
encouraged the preparation of this paper and to the two Harits, A., Gernowo, R., Suseno, J.E., 2022.
lecturers who have played an active role in directing Adaptation of Information Systems Strategic
this research until it is completed. The author is also Planning of Universities Using COBIT 2019 in
grateful to XY University for being willing to be a Post Covid-19. JST: Jurnal Sains dan
case study for this research, as well as to stakeholders Teknologi, 11(2), 339–350.
who have been willing to spend time in interviews and https://doi.org/10.23887/jstundiksha.v11i2.483
discussions at XY University. Hopefully, this research 65
can be a reference for the improvement of the quality Haster, A.P., Hartomo, K.D., 2022. Analisis Tingkat
of XY University. Kematangan Smart City Kabupaten Lombok
Utara Menggunakan COBIT 2019. Jurnal
Daftar Pustaka Media Informatika Budidarma, 6(3), 1459.
http://dx.doi.org/10.30865/mib.v6i3.4344
Alonso, I.A., Caro, E.T., Verdún, J.C., García, N.A.B., ISACA. (2018a). COBIT® 2019: Designing an
2020. Factors Influencing the Implementation of Information and Technology Governance
IT Governance in Public Universities. 2020 2nd Solution. ISACA.
International Conference on Advances in ISACA. (2018b). COBIT® 2019: Governance and
Computing, Communication Control and Management Objectives. ISACA.
Networking (ICACCCN), 89-94. Legowo, N., Christian, 2019. Evaluation of
https://doi.org/10.1109/ICACCCN51052.2020. Governance Information System using
9362790 Framework COBIT 5 in Banking Company.
Anastasia, P.N., Atrinawati, L.H., 2020. Perancangan 2019 International Conference on Sustainable
Tata Kelola Teknologi Informasi Menggunakan Engineering and Creative Computing
Framework COBIT 2019 pada Hotel XYZ. JSI: (ICSECC), 281–286.
Jurnal Sistem Informasi (E-Journal), 12(2). https://doi.org/10.1109/ICSECC.2019.8907123
https://doi.org/10.36706/jsi.v12i2.12329 Lestari, M., Iriani, A., Hendry, 2022. Information
Asterinadewi, T., Handoko, Y., 2018. Asesmen Technology Governance Design in DevOps-
Kapabilitas Menggunakan Kerangka Kerja Based E-Marketplace Companies Using COBIT
COBIT 5 Process Assessment Model dalam 2019 Framework. INTENSIF, 6(2), 233–252.
Penerapan Tata Kelola Teknologi Informasi. https://doi.org/10.29407/intensif.v6i2.18104
Jurnal Tata Kelola Dan Kerangka Kerja Lompoliu, E.M., Francolla, G.B.R.F., Mandoya, G.R.,
Teknologi Informasi, 3(2), 61–70. Walangitan, M.D., Mambu, J.Y., 2022.
http://dx.doi.org/10.34010/jtk3ti.v3i2.463 Information Technology Governance Analysis
Audia, R., Sugiantoro, B., 2022. Evaluation and Using The COBIT 2019 Framework at XYZ
Implementation of IT Governance Using the Institution. CogITo Smart Journal, 8(2), 346–
2019 COBIT Framework at the Department of 358.
Food Security, Agriculture and Fisheries of https://doi.org/10.31154/cogito.v8i2.427.346-
Balangan Regency. IJID (International Journal 358
on Informatics for Development), 11(1), 152– Murad, D.F., Fernando, E., Irsan, M., Kosala, R.R.,
161. https://doi.org/10.14421/ijid.2022.3381 Ranti, B., Supangkat, S.H., 2018.
Bernika, H., Nuryana, I.K.D., 2021. Perancangan Tata Implementation of COBIT 5 Framework for
Kelola Teknologi Informasi Menggunakan Academic Information System Audit
Kerangka Kerja COBIT 2019 (Studi Kasus: LPP Perspective: Evaluate, Direct, and Monitor.
RRI Madiun). JEISBI, 2(3), 63–70. 2018 International Conference on Applied
Fadhilah, R., Santosa, I., Abdurrahman, L., 2021. Information Technology and Innovation
Rencana Audit Teknologi Informasi (ICAITI), 102–107.
Menggunakan COBIT 2019 pada Unit Isti https://doi.org/10.1109/ICAITI.2018.8686700
Universitas Telkom. Jurnal Informatika dan Nurcahya, H., Setiawan, E., Permana, B., 2022.
Komputer, 4(3), 157–163. Information Technology Governance Audit
https://doi.org/10.33387/jiko.v4i3.3325 Using COBIT Framework 2019 (Case Study:
Gallaran, F.B., Pagiu, C., Palelleng, S., 2022. Audit Mandiri University). Budapest International
Sistem Informasi Akademik Universitas Kristen Research and Critics Institute (BIRCI-
Indonesia Toraja dengan Menggunakan Journal) : Humanities and Social Sciences, 5(1),
framework COBIT 5. Faktor Exacta, 15(3), 8030–8038.
174–179. Permenristekdikti No. 62, Tahun 2017.
Gunawan, W., Kalensun, E.P., Fajar, A.N., Sfenrianto, Riadi, F.T., Manuputty, A.D., Saputra, A., 2018.
2018. Applying COBIT 5 in Higher Education. Evaluasi Manajemen Risiko Keamanan

121
 Jurnal Sistem Informasi Bisnis 02(2024)
Copyright ©2024, JSINBIS, p-ISSN: 2502-2377, e-ISSN: 2088-3587
On-line: http://ejournal.undip.ac.id/index.php/jsinbis/article/view/59368

Informasi dengan Menggunakan COBIT 5 Information Systems: Smart Green Technology

Subdomain EDM03 (Ensure Risk for Sustainable Living, ICSGTEIS 2018 -
Optimisation). Jutei, 2(1), 1–10. Proceeding, 7, 210–214.
https://doi.org/10.21460/jutei.2018.12.53 https://doi.org/10.1109/ICSGTEIS.2018.87091
Safitri, A., Syafii, I., Adi, K., 2021. Identifikasi Level 44
Pengelolaan Tata Kelola SIPERUMKIM Kota Sipayung, A.B., Yunis, R., Elly, E., 2022. Evaluation
Salatiga berdasarkan COBIT 2019. Jurnal Of Information Technology Governance at
RESTI (Rekayasa Sistem dan Teknologi Mikroskil University Using COBIT 2019
Informasi), 5(3), 429–438. Framework with BAI11 Domain. International
https://doi.org/10.29207/resti.v5i3.3060 Journal of Research and Applied Technology,
Salegar, I., Rizal, S., 2020. Evaluasi Kematangan Tata 2(2), 128–143.
Kelola Sistem Informasi Akademik Perguruan https://doi.org/10.34010/injuratech.v2i2.8085
Tinggi menggunakan COBIT 5.0. Seri Tulus, B.V., Tanaamah, A.R., 2023. Design of
Prosiding SENADI, 4(1), 87–90. Information Technology Governance in
Saleh, M., Yusuf, I., Sujaini, H., 2021. Penerapan Educational Institutions Using COBIT 2019
Framework COBIT 2019 pada Audit Teknologi Framework. Journal of Information Systems and
Informasi di Politeknik Sambas. Jurnal Edukasi Informatics, 5(1), 31–43.
dan Penelitian Informatika (JEPIN), 7(2), 204. https://doi.org/10.51519/journalisi.v5i1.408
https://doi.org/10.26418/jp.v7i2.48228 Wabang, K., Rahma, Y., Widodo, A. P., & Nugraha,
Samsinar, Sinaga, R., 2022. Information Technology F., 2021. Tata Kelola Teknologi Informasi
Governance Audit at XYZ College Using Menggunakan COBIT 2019 pada PSI
COBIT Framework 2019. Berkala Sainstek, Universitas Muria Kudus. Jurnal Teknologi dan
10(2). https://doi.org/10.19184/bst.v10i2.30325 Sistem Informasi, VII(3), 275–282.
Saputra, M.A., Redo, M.R., 2021. Penerapan Yasin, M., Arman, A.A., Edward, I.J.M.,
Framework COBIT 2019 untuk Perancangan Shalannanda, W., 2020. Designing Information
Tata Kelola Teknologi Informasi pada Security Governance Recommendations and
Perguruan Tinggi. Journal of Science and Social Roadmap Using COBIT 2019 Framework and
Research, 4(3), 352. ISO 27001:2013 (Case Study Ditreskrimsus
https://doi.org/10.54314/jssr.v4i3.715 Polda XYZ). Proceeding of 14th International
Saridewi, A.I., Wiharta, D.M., Sastra, N.P., 2018. Conference on Telecommunication Systems,
Evaluation of Integrated University Services, and Applications, TSSA 2020,
Management Information System Using COBIT 2013(95), 3–7.
5 Domain DSS. 2018 International Conference https://doi.org/10.1109/TSSA51342.2020.9310
on Smart Green Technology in Electrical and 875

122