repositori.unud.ac.id · 2017. 6. 6. · August 2015. Vol. 78 No.3 . iii Dr. CHRISTEL BAIER...

Journal of Theoretical and Applied Information Technology

© 2005 - 2015 JATIT & LLS. All rights reserved

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

JOURNAL OF THEORETICAL AND APPLIED INFORMATION TECHNOLOGY

EDITORIAL COMMITTEE

NIAZ AHMAD (Chief Editor) Professor, FCE, MOE, H-9 Islamabad PAKISTAN

SHAHBAZ GHAYYUR (Co- Chief Editor) Assistant Professor, DCS, FBAS, International Islamic University Islamabad, PAKISTAN SAEED ULLAH (Associate Editor) Assistant Professor, DCS, Federal Urdu University of Arts, Science & Technology Islamabad, PAKSITAN

MADIHA AZEEM (Associate Editor) Journal of Theoretical and Applied Information Technology, Islamabad. PAKISTAN

SALEHA SAMAR (Managing Editor) Journal of Theoretical and Applied Information Technology, Islamabad. PAKISTAN KAREEM ULLAH (Managing Editor) Journal of Theoretical and Applied Information Technology, Islamabad. PAKISTAN

SHAHZAD A. KHAN Lecturer IMCB, FDE Islamabad, PAKISTAN (Managing Editor/Linguists & In-charge Publishing) Journal of Theoretical and Applied Information Technology, Islamabad. PAKISTAN

August 2015. Vol. 78 No.3 .

i




JOURNAL OF THEORETICAL AND APPLIED INFORMATION TECHNOLOGY REGIONAL ADVISORY PANEL

Dr. SIKANDAR HAYAT KHIYAL Professor &Chairman DCS& DSE, Fatima Jinnah Women University, Rawalpindi, PAKISTAN Dr. MUHAMMAD SHER Professor &Chairman DCS, FBAS, International Islamic University Islamabad, PAKISTAN Dr. ABDUL AZIZ Professor of Computer Science, University of Central Punjab, PAKISTAN Dr. M. UMER KHAN Asst. Professor Department of Mechatronics, Air University Islamabad, PAKISTAN Dr. KHALID HUSSAIN USMANI Asst. Professor Department of Computer Science, Arid Agriculture University, Rawalpindi, PAKISTAN


ii




JOURNAL OF THEORETICAL AND APPLIED INFORMATION TECHNOLOGY

EDITORIAL ADVISORY BOARD


iii

Dr. CHRISTEL BAIER Technical University Dresden, GERMANY

Dr KHAIRUDDIN BIN OMAR UniversitiKebangsaanMalysia, 43600 Bangi Selangor Darul-Ehsan, MALYSIA

Dr. YUSUF PISAN University of Technology, Sydney, AUSTRALIA

Dr. S. KARTHIKEYAN Department of Electronics and Computer Engineering, Caledonian College of Engineering, OMAN (University College with Glascow University, Scotland, UK)

DR. YUXIN MAO School Of Computer & Information Engineering Zhejiang Gongshang University, CHINA Dr. ZARINA SHUKUR FakultiTeknologidanSainsMaklumat, University Kebangsaan MALYSIA

Dr. NOR AZAN MAT ZIN Faculty of Information Science & Technology, National University of MALYSIA

Dr. R.PONALAGUSAMY National Institute of Technology, Tiruchirappalli, Tamil Nadu, INDIA

Dr. MOHAMMAD TENGKU SEMBOK Universiti Kebangsaan MALYSIA

Dr. PRABHAT K. MAHANTI University of New Brunswick, Saint John, New Brunswick, CANADA

Dr. NITIN UPADHYAY Birla Institute of Technology and Science (BITS), Pilani-Goa Campus, INDIA

Dr. S.S.RIAZ AHAMED Mohamed Sathak Engineering College, Kilakarai, &Sathak Institute of Technology, Ramanathapuram , Tamilnadu, INDIA

Dr. A. SERMET ANAGÜN Eskisehir Osmangazi University, Industrial Engineering Department, Bademlik Campus, 26030 Eskisehir, TURKEY.

Dr. YACINE LAFIFI Department of Computer Science, University of Guelma, BP 401, Guelma 24000, ALGERIA.

Dr. CHRISTOS GRECOS School Of Computing, Engineering And Physical Sciences University Of Central Lancashire. UNITED KINGDOM

Dr. JAYANTHI RANJAN Institute of Management Technology Raj Nagar, Ghaziabad, Uttar Pradesh, INDIA

Dr. ADEL M. ALIMI National Engineering School of Sfax (ENIS), University of SFAX, TUNISIA

Dr. RAKESH DUBE Professor & Head, RKG Institute of Technology, Ghaziabad, UP, INDIA

Dr. ADEL MERABET Department of Electrical & Computer Engineering, Dalhousie University, Halifax, CANADA

Dr. HEMRAJ SAINI CE&IT Department, Higher Institute of Electronics, BaniWalid. LIBYA

Dr. MAUMITA BHATTACHARYA SOBIT, Charles Sturt University Albury - 2640, NSW, AUSTRALIA





iv

Dr. SEIFEDINE KADRY Lebanese International University, LEBONON

Dr. AIJUAN DONG Department of Computer Science Hood College Frederick, MD 21701. USA

Dr. ZURIATI AHMAD ZUKARNAIN University Putra Malaysia, MALAYSIA

Dr. HEMRAJ SAINI Higher Institute of Electronic, BaniWalid LIBYA

Dr. CHELLALI BENACHAIBA University of Bechar, ALGERIA

Dr. MOHD NAZRI ISMAIL University of Kuala Lumpur (UniKL) MALYSIA

Dr. VITUS SAI WA LAM The University of Hong Kong, CHINA

Dr. WITCHA CHIMPHLEE SuanDusitRajabhat University, Bangkok, THAILAND

Dr. SIDDHIVINAYAK KULKARNI University of Ballarat, Ballarat, AUSTRALIA

Dr. S. KARTHIKEYAN Caledonian College of Engineering, OMAN

Dr. DRAGAN R. MILIVOJEVIĆ Mining and Metallurgy Institute BorZelenibulevar 35, 19210 Bor, SERBIA

Dr. E. SREENIVASA REDDY Principal - VasireddyVenkatadri Institute of Technology, Guntur, A.P., INDIA

Dr OUSMANE THIARE Gaston Berger University, Department of Computer Science, UFR S.A.T, BP 234 Saint- Louis SENEGAL

Dr. SANTOSH DHONDOPANT KHAMITKAR RamanandTeerthMarathwada University, Nanded. Maharashtra 431605, INDIA

Dr. M. IQBAL SARIPAN (MIEEE, MInstP, Member IAENG, GradBEM) Dept. of Computer and Communication Systems Engineering, Faculty of Engineering, Universiti Putra MALAYSIA

Dr. E. SREENIVASA REDDY Principal - VasireddyVenkatadri Institute of Technology, Guntur, A.P., INDIA

Dr. T.C.MANJUNATH, Professor & Head of the Dept., Electronicis& Communication Engg. Dept, New Horizon College of Engg., Bangalore-560087, Karnataka, INDIA.

Dr. SIDDHIVINAYAK KULKARNI Graduate School of Information Technology and Mathematics University of Ballart AUSTRALIA

Dr. SIKANDAR HAYAT KHIYAL Professor & Chairman DCS& DSE, Fatima Jinnah Women University, Rawalpindi, PAKISTAN

Dr. MUHAMMAD SHER Professor & Chairman DCS, FBAS, International Islamic University Islamabad, PAKISTAN

Dr. ABDUL AZIZ Professor of Computer Science, University of Central Punjab, PAKISTAN

Dr. M. UMER KHAN Asst. Professor Department of Mechatronics, Air University Islamabad, PAKISTAN




Elite Panel Members Have A Decision Weight Equivalent of Two Referees (Internal OR External).

The Expertise Of Editorial Board Members Are Also Called In For Settling Refereed Conflict About

August 2015. Vol. 78 No.3

Acceptance/Rejection And Their Opinion Is Considered As Final.

.

v

Dr. RIKTESH SRIVASTAVA Assistant Professor, Information Systems Skyline University College P O Box 1797, Sharjah, UAE

Dr. BONNY BANERJEE PhD in Computer Science and Engineering, The Ohio State University, Columbus, OH, USA Senior Scientist Audigence, FL, USA

PROFESSOR NICKOLAS S. SAPIDIS DME, University of Western Macedonia Kozani GR-50100, GREECE.

Dr. NAZRI BIN MOHD NAWI Software Engineering Department, Faculty of Science Computer Information Technology, Universiti Tun Hussein Onn MALAYSIA

Dr. JOHN BABALOLA OLADOSU Ladoke Akintola University of Technology, Ogbomoso, NIGERIA

Dr. ABDELLAH IDRISSI Department of Computer Science, Faculty of Science, Mohammed V University - Agdal, Rabat, MOROCCO

Dr. AMIT CHAUDHRY University Institute of Engineering and Technology, Panjab University, Sector-25, Chandigarh, INDIA

Dr. ASHRAF IMAM Aligarh Muslim University, Aligarh-INDIA

Dr. MOHAMMED ALI HUSSAIN Dept. of Computer Science & Engineering, Sri Sai Madhavi Institute of Science & Technology, Mallampudi, Rajahmundry, A.P, INDIA

Dr. KHALID HUSSAIN USMANI Asst. Professor Department of Computer Science, Arid Agriculture University, Rawalpindi, PAKISTAN

Dr. GUFRAN AHAMD ANSARI Qassim University, College of Computer Science, Ministry of Higher Education, Qassim University, KINGDOM OF SAUDI ARABIA

Dr. Defa Hu School of Information, Hunan University of Commerce Changsha 410205, Hunan, P. R. of China




PREFACE

Journal of Theoretical and Applied Information Technology (JATIT) published since 2005 (E-ISSN 1817- 3195 / ISSN 1992-8645) is an International refereed research publishing journal with a focused aim of promoting and publishing original high quality research dealing with theoretical and scientific aspects in all disciplines of Information Technology. JATIT is an international scientific research journal focusing on issues in information technology research. A large number of manuscript inflows, reflects its popularity and the trust of world's research community. JATIT is indexed with various organizations and is now published on monthly basis.

All technical or research papers and research results submitted to JATIT should be original in nature, never previously published in any journal or undergoing such process across the globe. All the submissions will be peer-reviewed by the panel of experts associated with JATIT. Submitted papers should meet the internationally accepted criteria and manuscripts should follow the style of the journal for the purpose of both reviewing and editing. All of its articles also appear online as per policy of JATIT

Journal of Theoretical and Applied Information Technology receives papers in continuous flow and we will consider articles from a wide range of Information Technology disciplines encompassing the most basic research to the most innovative technologies. Please submit your papers electronically to our submission system at http://jatit.org/submit_paper.php in an MSWord, Pdf or compatible format so that they may be evaluated for publication in the upcoming issue. This journal uses a blinded review process; please remember to include all your personal identifiable information in the manuscript before submitting it for review, we will edit the necessary information at our side. Submissions to JATIT should be full research / review papers (properly indicated below main title). It is the sole responsibility of the submitting authors to make sure that the submitted manuscript is not in process of publication anywhere in any conference/journal across the globe, nor part or whole of it is copied from any source. The review process may take anywhere from five days to two months depending on the response time to referees. Authors will be informed about the updated status via e-mail as soon as we receive the evaluation results. After submission of publication dues for accepted manuscripts a publication slot will be allocated to your manuscript for its publication in upcoming monthly issues of JATIT.

******************


vi




ABSTRACTING & INDEXING

Journal of Theoretical and Applied Information Technology Islamabad Pakistan is focused, double blind peer reviewed journal that is now being published monthly and is published by Asian Research Publishing Network and is Indexed / Abstracted by the following International Agencies and institutions. JATIT has been regularly published since 2005 and now has a well reputed international standing and invites contributions from researchers, scientists, and practitioners from all over the world.

*- Ulrich's Periodicals Directory *- DataBase systems and Logic Programming (DBLP) *- EBSCO Publishing USA *- Directory of Open Access Journals (DOAJ) *- Google & Google Scholar Journals *- The Index of Information Systems Journals *- Information Technology Resources Collection *- ZDNet Australia *- NLM Catalog *- Computing Research and Education Association of Australasia *- CiteSeer *- Elsevier *- SCOPUS *- Engineering Village *- TOC Premier

****************** Feel free to suggest JATIT to any Indexing & Abstracting Services which are appropriate to its scope

TM

August 2015. Vol. 78 No.3

*- Computer Science Journals *- Computers and Applied Sciences Complete *- N|W Switzerland *- Microsoft Academic Search *- Cabell Publishing *-OpenJgate *- INSPEC *- IAOR Palgrave Macmillan

.

vii

x

Journal of Theoretical and Applied Information Technology31st August 2015. Vol.78. No.3

© 2005 - 2015 JATIT & LLS. All rights reserved.


456

AUDIT OF ACCOUNTING INFORMATION SYSTEM USINGCOBIT 4.1 FOCUS ON DELIVER AND SUPPORT DOMAIN

1 NI PUTU SRI MERTA SURYANI, 2 GUSTI MADE ARYA SASMITA, 3 I KETUT ADIPURNAWAN

1Under Graduate Student, Department of Information Technology, Udayana University, Bali, Indonesia2,3Lecturer, Department of Information Technology, Udayana University, Bali, IndonesiaE-mail: [email protected], [email protected], [email protected]

ABSTRACT

The audit is required at a university to evaluate the IT services on accounting information system. The auditof accounting information system at one of the universities in Indonesia aims to determine the maturitylevel of IT services in support the financial data management. Audit of accounting information system isvery important because the university can determine the extent of IT services that has been given. Inaddition, the audit results can also be used as a reference for the future in improving IT services inaccounting information system. Stages of accounting information system audit begin with choosing adomain which includes the identification of business goals, IT goals, IT process and control objectivesusing COBIT 4.1 framework. The next stage is to collect the necessary data through interviews and surveysusing questionnaires. The data collected are then processed to obtain a maturity level. Results of audit ofaccounting information system that has been conducted show that the maturity index of the entire ITprocess is 2.69, which means the current level of maturity in 3-defined. The expected level of maturity is 4-managed. A comparison of the current and expected level of maturity to give rise the gap. Improvementstrategy are given to overcome the gaps that appear based on the COBIT 4.1 framework and supported byITIL V3 framework that has been through the mapping process using the COBIT 4.1 IT process.

Keywords: Audit of Information System, COBIT 4.1, ITIL V3, Maturity Level, Gap, Improvement

1. INTRODUCTION

The role of information technology withinthe university in Indonesia is very important,especially for a university that has the status as aBLU. Each university, which has status as a BLUrequired to manage financial data independently,systematically and accountable.

Financial data management thatindependent, systematic and accountable requires agood information technology governance [3].Information technology governance as an integralpart of a company that consists of the leadership,structures and organizational process ensures thatinformation technology within the organization tocontinue and the organization is improve goals andstrategies [2][4].

Audit of accounting information systemneeds to be done to improve the financial datamanagement and to create an accountable financialreport in accordance with accounting standard.Audit of accounting information system is alsoexpected that IT services can provide effectivenessand efficiency in the future.

Audit of accounting information systemfocus on the delivery and support of IT services isto meet the needs and satisfaction of users. Thisaudit is using two IT governance frameworks that isCOBIT 4.1 and to supported by ITIL V3.

COBIT 4.1 is a framework for ITgovernance that includes planning, implementation,operation and monitoring of the entire process.COBIT 4.1 consists of 4 domains, namely Plan andOrganise, Acquire and Implement, Deliver andSupport, Monitor and Evaluate with 34 IT processin them [5][9][11]. ITIL V3 framework is aguidelines that provided the best practices forservice management [6]. ITIL V3 consists ofService Operation, Service Transition, ServiceDesign, Service Strategy and Continual ServiceImprovement [10].

COBIT 4.1 framework is used as areference in determining the IT process andmeasure the maturity level of IT process. The poorcurrent level of maturity made it necessary todetermine an expected maturity level target, whichgive rise to gap. The gap that appear is used as areference to determine improvement strategy.




457

Improvement strategy are determined based on theCOBIT 4.1 framework that is supported by ITIL V3framework that has been through the mappingprocess of the IT process in COBIT 4.1 framework[7][12].

Audit of accounting information systemusing two frameworks provided a better auditresults. In addition, weaknesses in accountinginformation system can be seen in more detail byusing two frameworks that COBIT 4.1 and ITIL V3[10].

Audit of accounting information systemusing are COBIT 4.1 framework which is used tomeasure the maturity level of IT services and ITILV3 as a support in recommendations forimprovement. The audit only focused on the 13 ITprocess in Deliver and Support domain COBIT 4.1framework. Deliver and Support domain is moreemphasis on the process of IT services, systemsecurity, training, data management and other of theaccounting information system that has been used.While some people have also been conducted auditsusing IT governance frameworks such as COBIT,ISO 27000, ITIL, COSO and others [5][6][10].

2. AUDIT METHOD

The stages will be performed in audit ofaccounting information system is shown in Figure1.

Audit Planning

Start

End

Determining the Problem Formulation, Purposesdan Problem Limitations

Review of Literature

Study of LiteratureUniversity Data

Collection

Domain Selection

Bussiness Goal Identification

Data Collection

InterviewSurvey using aQuestionnaire

Data Processing and Analysis

Current Maturity Level

Maturity Gap

Improvement Strategy Based on ITIL V3 Framework

Preparation a Final Report of Audit Result

Expected MaturityLevel

IT Process Identification

IT Goal Identification

Control Objective Identification

Figure 1: Stage of Audit Process

The initial stage in planning an audit is todetermine the problem formulation, purposes andproblem limitations. In the planning stage, literaturestudy and university data collection are performedto support the audit process. The next step isselection of domain based on the COBIT 4.1framework.

Selection of domain is conducted tochoose the IT process that will be used in the audit.The IT process are obtained through theidentification of business goals, IT goals,identification of IT process and identification ofcontrol objectives according to the COBIT 4.1framework.

Data collection is conducted throughinterviews and surveys using questionnaires. Datawere obtained from interviews and surveys usingquestionnaires then processed to obtain the maturitylevel of IT process.

Then the obtained IT process maturitylevel is analyzed. Afterwards the expected level ofmaturity is determined to see the level of maturitythat has been achieved. Comparison of the currentmaturity level with the expected maturity level giverise to gap.

The gap that appears need to be overcometo provide improvement strategy. It is a step toachieve the expected level of maturity.

The providing of improvement strategy isbased on the COBIT 4.1 and ITIL V3 frameworkthat has been through the mapping process. Aftergiving the recommendation, then the final stage ofthe audit process is the preparation of the finalreport of the audit results.

3. AUDIT MODEL

3.1. Questionnaire Draft of Maturity LevelMaturity level questionnaires are

distributed to 29 respondents within the university.The selected respondents are respondents who havethe duty and responsibility in the use of accountinginformation system.

The statement was designed based on theexisting control objective in COBIT 4.1 IT process.Each IT process control objective has statement thatdescribe how those controls are implemented andmaintained [11]. Table 1 shown an example ofcontrol objective statement draft DS2.2 in ITprocess DS2.




458

Table 1: Example of Control Objectives Statement DraftDS 2.2

Domain DS2 Managed Third-party ServicesControl Objective DS2.2 – Supplier RelationshipManagementNo Statement Value

1

The involvement of the systemdevelopers, internal parties and users arevery close in creating a high valuesystem.

Each respondent gives rating to the ITprocess control objective statement that has beendetermined. The rating of statements is necessarybecause any such statements are not of equal valuein its application [1].

Table 2: The Rating of the Risk AssessmentRisk ValueHigh 0,7 – 1,0

Medium 0,4 – 0,6Low 0,1 – 0,3

The rating is determined from theimplementation guidelines and level of importanceto the organization. Statement that rated with highrisk mean that the statement is very important to bedone or implemented. Statement with medium riskrating do not have the threat as big as the high, butstill need to be implemented as a precautionarymeasure. Low risk is not required to be applied, butif it is implemented will increase the performanceof system [1].

After making the statement, then questionsrepresenting each control objective statement aremade. Each statement does not always producedonly one question, but it can be more than one aslong as these questions can represent eachstatement [1][3]. Table 3 is contained question draftexample that represent a control objective statementof DS2.2 in IT process DS2.

Table 3: Example of Question Draft Represent theControl Objective Statement DS2.2

Domain DS2 Managed Third-party ServicesControl Objective DS2.2 – Supplier RelationshipManagement

No QuestionScore

0 1 2 3 4 51 In what extent is the

involvement of the systemdevelopers, internal partiesand users in creating a highquality system?

Each respondent provides an assessmentof the question that represents the control objectivestatement by ticking (√) one score in accordancewith the opinion of the respondent. Score of 0means non-existents, a score value of 1 means the

initial, score of 2 means repeatable, a score of 3means defined, score of 4 means managed, score of5 means optimized. Score values being used refersto the maturity level of the COBIT 4.1 frameworkdescribed in Table 4 [11].

Table 4: COBIT 4.1 Maturity LevelLevel Description

0(Non-

existents)

Organization knew nothing about the issue to besolved. Each process or problem is not clearlydefined.

1(Initial)

The organization already has proof inidentifying existing problems but needs to bedirected. There i no standard process and theapproach taken is ad-hoc.

2(Repeatable)

Organization has a developed process. There is aprocedure to run a defined process, there is noformal training and standard communicationprocedures.

3(Defined)

The organization already has a standardized anddocumented procedure. The procedure has beenwell communicated through formal training. Butat the implementation stage it depends on theindividual whether to follow the establishedprocedures or not. Procedure of the organizationis not yet perfect but it is a mere formality onexisting practice.

4(Managed)

Organization monitors and measures theprocedures and policies that have beeneffectively implemented. In the event of errorsand irregularities, a series of procedures forcorrective actions to be undertaken are alreadyexist. Repair are carried out consistently andprovide best practices and results. Automationand tools are used limited and fragmented.

5(Optimized)

The conducted process has had improvementefforts at the level of continuous best practicesthat produces the best process and best results.The use of integrated information technology isalready available there by automation can bedone within the organization. A tool to improvethe value and effectiveness is already exists thusthe organization can well adapt.

3.2. Measurement of Maturity LevelThe results of the questionnaire data

processing are used as a benchmark to determinethe maturity level of IT process. In Table 5, COBIT4.1 maturity level assessment criteria are shown[11].Table 5: COBIT 4.1 Maturity Level Assessment Criteria

Maturity Index Maturity Level0 – 0,50 0 – Non-existents

0,51 – 1,50 1 – Initial/ad hoc1,51 – 2,50 2 – Repeatable but Intuitive2,51 – 3,50 3 – Defined Process3,51 – 4,50 4 – Managed and Measurable4,51 – 5,00 5 – Optimized

The maturity level is determined inaccordance with the COBIT 4.1 framework thatprovides company capability grouping in themanagement of IT process from level zero (non-




459

existent) to level five (optimized). Each maturitylevel has a list of statements used as a guidelines inassessing the extent to which the process takesplace in the company has fulfilled the statement[8][11]. The maturity level calculation is describedas follows [1][2][6].1. Calculation of the average value of each

statement (if the statement is more than one).Total Rating =(Statement Rating 1)+( Statement Rating 2..n)

Total Statement

2. Calculation of the value score of each statement.Total Score = (Question Score 1) + (Question Score 2...n)

3. Calculation of the value score average of eachstatement.

Value Score = Total Score / Total Question

4. Calculation of the maturity level.Maturity Level = (Total Rating) x (Value Score)

4. RESULT AND ANALYSIS

4.1. Determination of IT ProcessDetermination of IT process is performed

through several phases. The initial stage is to alignthe vision, mission and purposes of the university inimplementing the accounting information system tothe business goals COBIT 4.1. Alignmentconducted in order to obtain business goals COBIT4.1. COBIT 4.1 framework has 17 business goalsthat are grouped based on the Balanced Scorecard[11].

Next, the related IT goals are associatedwith IT process contained in the COBIT 4.1framework for obtaining IT process that will beused in audits of accounting information system. InTable 6 are shown the IT process used in the auditprocess.

Table 6: IT Process being UsedIT Process Description

DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations

Based on the selection of a domain thathas been done, an audit of accounting informationsystem focus on the Deliver and Support domain

that consists of 13 IT process based on COBIT 4.1framework.

4.2. Analysis of Current Maturity LevelAnalysis of IT process maturity level on

Deliver and Support domain is conducted based onthe COBIT 4.1 framework to determine the currentlevel of maturity in the accounting informationsystem. The questionnaire calculation results for theentire IT process distributed to 29 respondents canbe seen in Table 7.

Table 7: Current Maturity Level of IT Process

IT ProcessCurrent Maturity

Value LevelDS1 Define and Manage ServiceLevels

2,803-DefinedProcess

DS2 Manage Third-partyServices


DS3 Manage Performance andCapacity


DS4 Ensure Continuous Service 2,753-DefinedProcess

DS5 Ensure Systems Security 2,763-DefinedProcess

DS6 Identify and Allocate Costs 2,523-DefinedProcess

DS7 Educate and Train Users 2,683-DefinedProcess

DS8 Manage Service Desk andIncidents


DS9 Manage the Configuration 2,603-DefinedProcess

DS10 Manage Problems 2,613-DefinedProcess

DS11 Manage Data 2,653-DefinedProcess

DS12 Manage the PhysicalEnvironment


DS13 Manage Operations 2,623-DefinedProcess

Maturity Level Average 2,693-DefinedProcess

In Table 7 is shown that the average levelof maturity is 2.69 so that the condition of thecurrent level of maturity is in 3-defined. Thematurity level of 3-defined is a condition in whichthe accounting information system already hasstandardized and documented procedures. Theprocedure has been well communicated throughformal training but at the implementation stage itdepends on the individual whether to follow theestablished procedures or not.

4.3. Analysis of the Current and the ExpectedMaturity Level

COBIT 4.1 framework has a measure ofmaturity level ranging from 0 (non existents) to 5(optimized) [8][11]. Target level of maturity ITprocess gradually determined by looking thecurrent level of maturity that is in the 3-defined. It




460

is also based on the purpose, vision and mission ofthe university to be achieved in implementing theaccounting information system. Comparison of thecurrent level of maturity with the expected level ofmaturity is shown in Table 8.

Table 8: IT Process Gaps

IT ProcessMaturity Level

Current Expected GapDS1 Define and ManageService Levels

2,804 1,20


2,674 1,33

DS3 Manage Performanceand Capacity

2,864 1,14

DS4 Ensure ContinuousService

2,754 1,25

DS5 Ensure SystemsSecurity

2,764 1,24

DS6 Identify and AllocateCosts

2,524 1,48

DS7 Educate and TrainUsers

2,684 1,32

DS8 Manage Service Deskand Incidents

2,714 1,29

DS9 Manage theConfiguration

2,604 1,40

DS10 Manage Problems 2,61 4 1,39DS11 Manage Data 2,65 4 1,35DS12 Manage the PhysicalEnvironment

2,764 1,24

DS13 Manage Operations 2,62 4 1,38

Table 8 is shown that the expected level ofmaturity is 4-managed. Maturity level of 4-managed is a condition where it is possible tomonitor and measure compliance to procedures andpolicies of accounting information system. If anerror occurs when using the accounting informationsystem, a series of procedures for improvementactions to be undertaken is available. Improvementare performed consistently and provides topractices and best results.

Graphic representation of the current levelof maturity with the expected level of maturity isshown in Figure 2.

Figure 2: Current and Expected Maturity Level Chart

The graph in Figure 2 is shown that the ITprocess in the Deliver and Support domain are atthe current level of maturity is 3-defined and havenot reached the expected level of maturity in 4-

managed, thus causing the gap. Recommendationsfor improvement should be provided to overcomethe that arise gaps so that the expected level ofmaturity is the maturity level 4-managed can beachieved.

4.4. Improvement Strategy based on COBIT 4.1and ITIL V3

Recommendations are provided toovercome the gaps refer to the COBIT 4.1 and ITILV3 frameworks. Improvement strategy are alsosupported by ITIL V3 framework through mappingprocess using COBIT 4.1 IT process. COBIT 4.1framework mapping with ITIL V3 is presented inTable 9 [12].

Table 9: COBIT 4.1 and ITIL V3 MappingCOBIT 4.1 IT Process ITIL V3 Process

DS1 Define and ManageService Levels

SD 4.2 Service levelmanagement


SD 4.2.5.9 Developcontracts and relationships

SD 4.7 Suppliermanagement

DS3 Manage Performanceand Capacity

SD 4.3 Capacitymanagement

SO 5.1 Monitoring andcontrol (performancemonitoring)

DS4 Ensure ContinuousService

SD 4.5 IT servicecontinuity management

SO 4.6.8 IT servicecontinuity management

DS5 Ensure SystemsSecurity

SD 4.6 Informationsecurity management

SO 5.13 Informationsecurity management andservice operation

DS6 Identify and AllocateCosts

SO 4.6.7 Financialmanagement for ITservices

DS7 Educate and Train Users SO 5.14 Improvement ofoperational activities

DS8 Manage Service Deskand Incidents

SO 4.2 Incidentmanagement

DS9 Manage theConfiguration

ST 4.3 Service asset andconfiguration management

DS10 Manage Problems SO 4.4 Problemmanagement

DS11 Manage Data

SD 5.2 Data andinformation management

SO 5.2.3 Backup andrestore

DS12 Manage the PhysicalEnvironment

SD App E Environmentalarchitectures and standards

SO 5.12 Facilities and datacentre management

DS13 Manage Operations

SO 5.1 Monitoring andcontrol

SO 6.4 IT operationsmanagement




461

Based on the COBIT 4.1 and ITIL V3frameworks mapping process, recommendationswill be given to overcome the gaps that arise so thatthe expected level of maturity is in 4-managed canbe achieved. ITIL V3 framework is an ITgovernance guidelines that provides the bestpractices service management. Improvementsstrategies towards maturity level 4-managed areshown in Table 10 [11][13][14][15].Table 10: Improvements Strategies Based on COBIT 4.1

and ITIL V3Improvements strategies

towards level 4 COBIT 4.1Improvements strategiestowards level 4 ITIL V3

DS 01 SD 4.2 It is necessary to measure

and assess the IT servicesbased on defined criteriaeffectively.

It is necessary for ananalysis of the causes ofthe problems in theservice were not fulfilled.

There are plans toincrease IT services thatis run effectively.

There is policies andprocedures are alwaysfollowed.

There are SLA and OLAare used as a guidelinesin managing IT servicelevels.

DS 02 SD 4.2.5.9 and SD 4.7 Has the policies and

procedures established tomanage the relationshipbetween services withsystem developerseffectively.

There is an agreement ofall the parties involved tomonitor the IT servicesprovided by the system.

There are monitoringresults reported fromdeveloper systemeffectively.

There are plans to run ofIT services to improvethe services to beprovided by the systemdeveloper.

DS 03 SD 4.3 and SO 5.1 It is necessary to monitor

the performance andcapacity so that if notenough can be overcomewith establishedprocedures.

It is necessary forreporting of performanceand capacity that is usedto support the passage ofeffective IT services.

There are a plans theavailability ofperformance andcapacity are defined toimprove the IT services.

There are monitoringand reporting theavailability of ITservices are conductedto effectively.

DS 04 SD 4.5 and SO 4.6.8 Responsibility and plan of

IT service continuouscontained in the contractthat has been set.

Monitoring of IT serviceseffectively to ensure andimprove IT servicecontinuous.

There are records aboutthe use of IT servicesthat serve as a referencein ensure continuousservice.

There is a riskmanagement accordingto ITIL V3 framework.

There are policies andprocedures forcontinuous services.

There is a continuousservice plan to beimplemented in thefuture to support theimprovement of ITservices.

DS 05 SD 4.6 Has the security policies

and procedures areestablished andimplemented effectively.

It is necessary for testing,monitoring and reportingto lead to improved levelsof security effectively.

There are policies andprocedures of ITsecurity that must beadhered and understood.

There is IT securityaudit be doneeffectively.

There is a setting useraccess rights in ITservice management.

There is a securitytesting of IT services.

DS 06 SO 4.6.7 It is necessary to

understand theaccountability of ITservices costs.

Has the policies of ITservices cost allocationare set so that the use offunds does not deviate.

It is necessary formonitoring and evaluatingthe cost of IT services toprevent irregularitiescosts.

Has the evaluation reporton the cost of IT serviceseffectively.

There is a costallocation policies for ITservices that accordingto user needs.

There are reports of theuse of IT service costs.

There is an evaluation ofthe budgeted costs andexpenses that have beenused.

DS 07 SO 5.14 Education and training are

performed effectively todevelop the IT services tosuit the user's needs anddeveloping technology.

It is necessary to classifythe duty andresponsibility of the userto take part in educationand training.

It is necessary to monitorthe program are given inthe education and trainingeffectively.

There are measurementsthrough operationalaudits.

There is a responsibilityof each staff of thegiven task.

There are problemsmanagement that have alot of improvementsolutions.

There are education andtraining that conductedand monitoredeffectively.

There is a measurementof the results ofeducation and trainingwhich aims to enhanceeducation and trainingin the future.

DS 08 SO 4.2 It is necessary to handle

the incident in accordanceof establishedresponsibilities andstandards.

It is necessary to train theservice desk staff to beable to handle theproblem/incident thatappears effectively.

There is a procedures toidentification andclassification of theincident/problem.

There are diagnosis andinvestigation of ITservices to effectively.

DS 09 ST 4.3 It is necessary for

monitoring, tracking andreporting on configurationfile storage effectively.

There is a configurationmanagement policies toadhered and understood.

There are monitoring




462

and reporting to theconfigurationmanagement.

DS 10 SO 4.4 Responsibility in solving

problems. It is necessary to

recording and reportingidentifying the problemeffectively.

It is necessary for theintegrated management ofproblems throughcommunication amongstaff involved in solvingproblems.

There is a detection ofproblem according tothe standard ITIL V3.

There is a problemcategorization .

There are records ofproblems that arise.

There is a detection ofproblem during systemdevelopment.

DS 11 SD 5.2 and SO 5.2.3 It is necessary to manage

data in accordance withthe duties andresponsibilities.

It is necessary to monitorthe management of datasuch as back up andrestore data effectively.

There is a strategy torestore and backup data.

There is theresponsibility of theadministrator to managethe data.

There is a datamanagement process tomanage data assets.

DS 12 SD App E and ST 3.1 Has the security

procedures ofenvironment and physicalthat is used to controlaccess the environmentsand hardware .

It is necessary to monitorthe environment andphysical access.

There is accesslimitation to theenvironment andphysical .

There is agreementagainst any person whowill access theenvironment andphysical.

There are monitoringand reporting to theenvironment andphysical.

DS 13 SO 5.1 and SO 6.4 It is necessary to monitor

the computing resourcesand tasks assigned.

It is necessary todocument the tasks andschedules that are ownedby the staff to themanagement of IT andbusiness can more easilymonitor the operations.

There is a record ofoperations carried outeffectively.

There are monitoringand recording ofnotifications that appear.

There is monitoring ofthe operation so that if aproblem occurs can betaken improvementaction.

5. CONCLUSION

The conclusion of the audit that has beendone is an audit of the accounting informationsystem includes audit planning, the selection of thedomain consists of identifying the business goals,IT goals, IT process and control objectives, datacollection, processing and analysis of data,improvement strategy and preparation of an auditresults of final report. Audit of accountinginformation systems focus on the domain Deliverand Support with 13 IT process contained in it. The

measurement of the maturity level using is COBIT4.1 framework. The maturity level of IT process isat the maturity level of 3-defined and the expectedlevel of maturity is 4-managed to give rise the gap.The improvement strategy given to overcome theappear gaps are based on COBIT 4.1 supported byITIL V3 framework.

6. FURTHER RESEARCH DIRECTION

The audit results are expected to be usedas a reference in developing and improving ITservices in accounting information system in thefuture. The audit of accounting information systemin the future is also expected to not only focus onIT process in the Deliver and Support domain butalso the entire IT process contained in the COBIT4.1 framework. The expected maturity level mustalso be increased to the maturity level of 5-optimized which is the highest maturity level in theCOBIT 4.1 framework. The next audit it is alsoexpected to be able to use some of the ITgovernance framework as comparison.

REFERENCES :

[1] Uma Sekaran, “Metodelogi Penelitian UntukBisnis”, Jakarta: Salemba Empat, 2006.

[2] Gondodiyoto, “Audit Sistem InformasiLanjutan”, Jakarta : Mitra Wacana Media.2007.

[3] Sarno Riyanarto, “Audit Sistem danTeknologi Informasi”, Surabaya : ITS Press.2009.

[4] HM Jogiyanto and Wily Abdilah, “SistemTata Kelola Teknologi Informasi”,Yogyakarta : Andi. 2011.

[5] Maria Yulita Putu Dita, I Made Sukarsa and IKetut Adi Purnawan, “Assesment of COBITMaturity Level with Exixting Conditions fromAuditor”, International Journal of ComputerScience and Information Security (IJCSIS),Vol. 10, No. 6, 2012.

[6] Diema Hernyka Satyareni and Fia Mahanani,“Audit Sistem Informasi Akademik PerguruanTinggi XYZ Menggunakan Kerangka KerjaCOBIT 4.1”, Seminar Nasional AplikasiTeknologi Informasi (Yogyakarta), 2014.ISSN: 1907-5022.

[7] Gusti Ayu Theresia Krisanthi, I Made Sukarsaand I Putu Agung Bayupati, “GovernanceAudit of Application Procurement UsingCOBIT Framework”, Journal of Theoreticaland Applied Information Technology(JATIT), Vol. 59, No. 2, 2014.




463

[8] I Gusti Ayu Dian Sasmita Ratih, I Putu AgungBayupati and I Made Sukarsa, “Measuring thePerformance of IT Management in FinancialEnterprise by Using COBIT”, I.J. InformationEngineering and Electronic Business(IJIEEB), Vol. 6 No. 1: 15-24, 2014.

[9] Riza Afriza Islami, I Made Sukarsa, I KetutAdi Purnawan, “Information TechnologyGovernance Archetype in an IndonesianUniversity”, TELKOMNIKA IndonesianJournal of Electrical Engineering, Vol. 12, No.7, 2014.

[10] Samir Bahsani, Abdelaali Himi, HassanMoubtakir and Alami Semma, “Towards aPolling of ITIL V3 and COBIT”, InternationalJournal of Computer Science Issues (IJCSI),Vol. 8, Issue. 6 No. 2, 2011. ISSN (Online):1694-0814.

[11] IT Governance Institute Team, “COBIT 4.1”,United States of America: IT GovernanceInstitute, 2007.

[12] IT Governance Institute Team, “COBITMapping; Mapping ITIL V3 with COBIT4.1”, United States of America: ITGovernance Institute, 2008.

[13] Office of Government Commerce (OGC),“ITIL version 3 Service Design”, TheStationery Office - TSO, London, 2007.

[14] Office of Government Commerce (OGC),“ITIL version 3 Service Operation”, TheStationery Office - TSO, London, 2007.

[15] Office of Government Commerce (OGC),“ITIL version 3 Service Transition”, TheStationery Office - TSO, London, 2007.

repositori.unud.ac.id · 2017. 6. 6. · August 2015. Vol. 78 No.3 . iii Dr. CHRISTEL BAIER...

Documents

Transcript of repositori.unud.ac.id · 2017. 6. 6. · August 2015. Vol. 78 No.3 . iii Dr. CHRISTEL BAIER...