A Local Government Application Capability Level Information System Audit using COBIT 5 Framework

The ASN application stores State Civil Apparatus and Employee Work Target master data. ASN application has never been audited. This study aimed to measure the capability level of the ASN application using the COBIT 5 framework. The audit results contain current findings and expectations for the future, then analyze the gaps and make recommendations for improvement. Audit results based on domains DSS01, DSS02, DSS03, DSS04, DSS05


INTRODUCTION
Sistem Pemerintah Berbasis Elektronik (SPBE) is an Electronic-Based Government System, a government administration that utilizes information and communication technology to provide services to SPBE users [1]- [3].One of the SPBEs used by the X City Government is the ASN application.This application stores the master data of ASN (State Civil Apparatus) and SKP (Employee Work Target).The benefit of this application is that it holds personnel data and can be used to assess ASN work performance.The government's effort in managing the ASN application is to conduct periodic audits.Information and Communication Technology Audit is a systematic process to obtain and evaluate evidence objectively against information and communication technology assets to determine the level of conformity between information and communication technology with predetermined criteria and standards.
Information technology governance is a branch of corporate governance that focuses on information technology systems and performance and risk management [4].The definition of an information system audit is evaluating existing evidence used to determine whether a computer system protects assets, data integrity can be maintained, the organization can achieve goals effectively, and efficient use of existing resources [5].COBIT is developed periodically by ISACA.COBIT is a complete standard and comprehensive scope as an audit framework.[6] then COBIT 5 enables better management of information technology and organization, covering the entire business and functional scope of IT [7].A RACI diagram is a matrix diagram that shows the parties who play a role in a company or organization.There are four roles on the RACI Chart, namely R (Responsible), A (AccounTable), C (Consulted), and I (Informed).Responsible is the person responsible until the task is completed.Accountable means a person with the right to make a decision.The consulted is a crucial stakeholder who must be involved in all activities.Informed is a person who needs information [8].

JINITA
The ASN application must be audited to organize good electronic-based regional personnel governance.ASN application governance audits help evaluate organizations so that the level of capability in ASN application governance can be known.The results of the audit evaluation process can be used to improve the implementation of ASN applications maximally.Conduct an audit of ASN applications using the COBIT 5 framework.COBIT management guidelines are issued by ISACA (Information System Audit and Control Association) and ITGI (Information Technology Governance Institute).COBIT is a framework that provides solutions for information technology governance through a domain of processes, activities, objectives, maturity models, and logical and orderly structures [9].Research discussing information system audits using COBIT 5 was conducted by Gita Natalia Krisnawati in 2019 entitled EVALUATION OF THE APPLICATION OF SIM-RS USING COBIT 5 AT LAWANG HOSPITAL.The differences in the domains discussed are APO 07, BAI 07, and DSS 01 domains.
APO 07 (Manage Human Resources): This process in the APO domain is focused on managing the IT workforce effectively.It involves defining roles and responsibilities, acquiring and developing IT talent, and ensuring that staff is motivated and competent to perform their duties.BAI 07 (Manage IT Human Resources): This process in the BAI domain is closely related to APO 07 but focuses specifically on managing IT human resources during the build and implementation phases.It involves defining IT roles and responsibilities for projects, acquiring and developing IT talent for project teams, and ensuring project staff have the necessary skills and knowledge.DSS01 -Manage Operations: This process involves managing day-to-day IT operations, ensuring that IT services are delivered consistently and by service level agreements (SLAs) and operational standards [10].
The relationship with this study is measuring capability levels, analyzing gaps, and providing recommendations.The results obtained from the study are that the existing capability level is still far from the provisions of the expected capability level, which is level 3. Cobit 5 memiliki 4 level.Level 3: Defined, Level 1: Performed, Level 2: Managed, Level 2: Managed, and Level 4: Predictable [11].
Level 3 is (a) Processes are well-documented and standardized.(b) Roles, responsibilities, and procedures are defined and followed consistently.(c) There is active management and monitoring of processes, including performance measurement.(d) Continuous improvement is a focus, and lessons learned are used for enhancements.Reaching Level 3 maturity in COBIT 5 demonstrates a commitment to process excellence and the ability to deliver reliable and predictable results consistently.It signifies that an organization has well-defined processes that are managed, monitored, and continuously improved to meet business and IT objectives effectively.So, researchers will continue this research to provide recommendations and review improvements for applying SIM-RS Using COBIT 5 at Lawang Hospital, Malang Regency [12].
Research on ASN application governance audits using the COBIT 5 framework has never been conducted.Therefore, it is necessary to conduct research on the ASN application Information System Audit aimed at determining the level of capability of ASN so that it can be used for improvements and recommendations for improving ASN Information System governance.

METHOD
Based on Figure 1, the first step is identifying the problem that has never been audited in the ASN application.The author determines the formulation of the problem and conducts a reference study.The author collected data on the analytical tools used in this study are the COBIT 5 standard issued by ISACA using the domains DSS01, DSS02, DSS03, DSS04, DSS05, and DSS06 [13].Some critical processes within the DSS domain in COBIT 5 include DSS01 -Manage Operations: This process involves managing day-to-day IT operations, ensuring that IT services are delivered consistently and per service level agreements (SLAs) and operational standards.DSS02 -Manage Service Requests and Incidents: It handles service requests and incidents from users and stakeholders.This includes incident logging, categorization, prioritization, and resolution.DSS03 -Manage Problems: This process is focused on identifying and addressing the root causes of recurring incidents and problems within the IT environment to prevent them from reoccurring.DSS04 -Manage Continuity: Ensuring business continuity and disaster recovery capabilities are in place to minimize the impact of disruptions on IT services.DSS05 -Manage Security JINITA Vol. 5, No. 2, December 2023 DOI: doi.org/10.35970/jinita.v5i2.1971Services: Managing the security aspects of IT services, including access control, data protection, and security incident management.DSS06 -Manage Business Process Controls: This process ensures that IT services support and align with business processes and that appropriate controls are in place to safeguard data and assets [14].
After the questionnaire is collected, the data will be processed to calculate the level of capability containing current results and future expectations.A gap analysis is carried out to analyze the current status and future expectations.At the final stage, a list of recommendations and improvements is made.

Figure 1. Stages of research
This study calculates the process capability levels DSS01, DSS02, DSS03, DSS04, DSS05, and DSS06 based on process attributes (PA).Process capability assessments are performed to identify specific groups of process capability.Each attribute defines a particular aspect of the process's capabilities.The combination of achieving these process attributes will determine the level of process capability [15].Capability level in COBIT 5 as shown in Figure 2 Capability level assessment model.The attribute mapping to capability level can be seen in Table 1.The story of process capability used in process assessment consists of six levels, namely [16] : 1. Level 0: incomplete process, i.e. the implementation of the process fails to achieve the goal.2. Level 1: performed process, i.e. the implementation of the process can achieve the goal.PA1.1 Process performance is a process attribute that reflects level 1 achievement.PA 1.1 measures the extent to which process objectives are achieved.The result of achieving this attribute is reflected in each process producing the expected output.
JINITA Vol. to produce a stable and predictable process within defined limits.6. Level 5: optimizing process, i.e. processes at level 4 are improved on an ongoing basis to meet current and future organizational objectives.The attributes contained at this level are: a. PA5.1 Process innovation: measure the extent to which process change is identified from process implementation and innovation approaches to process implementation.b.PA5.2 Process optimization: measure the extent to which change is defined and manage process execution effectively to support achieving process improvement objectives.
A rating standard scale based on ISO/IEC 15504 is called a rating scale used to measure each process attribute [17].The scale used to assess process attributes is: 1. N: not achieved (0 to 15%).
Process attributes can be mapped into capability levels, as shown in Table 1.An organization is said to reach a certain level of capability when the details at that level are "fully achieved (F)" or "largely achieved (L)", and the attribute values for all levels below are "fully achieved (F)".For example, to achieve level 3, the organization must achieve F or L grades for PA3.1, PA3.2, and PA2.1, and PA2.2 must be F. Another example is that although several processes have been carried out throughout the base practice and all work products have been produced entirely if the organization's overall value does not reach the F scale, there is no need for further level assessments [18].JINITA Vol. 5, No. 2, December 2023 DOI: doi.org/10.35970/jinita.v5i2.1971

RESULTS AND DISCUSSION
The RACI Chart can identify a member's responsibilities and roles in the organization [19].This study uses the RACI diagram to find suitable and appropriate respondents to fill out the ASN information system audit questionnaire.There were 27 respondents consisting of the corresponding parts, as seen in Table 2. Respondents consisted of the Head of Field and IT Staff.Identification of base practices and work products is carried out by the COBIT 5 Process Assessment Model [20], which was then made as material for questionnaires given to 27 respondents who had been identified according to the RACI chart.The self-assessment process is completed by completing questionnaires, observations, and interviews.This self-assessment process will calculate the capability level [21].After respondents filled out the questionnaire, the capability level measurement process was carried out by recapitulating the DSS01 capability level assessment results, which can be seen in Table 3.According to the analysis in Table 3, a recapitulation of the questionnaire results on the DSS01 capability level assessment, they concluded that it reached the Largelly Achieved (L) scale with a percentage of 61%-recapitulation of questionnaire results on the DSS02 capability level assessment, whose results can be seen in Table 4.According to the analysis in Table 4, a recapitulation of the results of the DSS02 capability level assessment questionnaire was obtained, and it was concluded that it reached the Largelly Achieved (L) scale with a percentage of 55 percent-recapitulation of questionnaire results on DSS03 capability level assessment whose results can be seen in Table 5.According to the analysis in Table 5, a recapitulation of the DSS03 capability level assessment questionnaire results was obtained, and it was concluded that it reached the Largelly Achieved (L) scale with a percentage of 76%-recapitulation of questionnaire results on DSS04 capability level assessment whose results can be seen in Table 6.According to the analysis in Table 6, a recapitulation of the DSS04 capability level assessment questionnaire results concluded that it reached the Largelly Achieved (L) scale with a percentage of 53% results on the DSS05 capability level assessment whose results can be seen in Table 7.According to the analysis in Table 7, a recapitulation of the DSS05 capability level assessment questionnaire results concluded that it reached the Largelly Achieved (L) scale with a percentage of 85% recapitulation of questionnaire results on DSS05 capability level assessment, as seen in Table 8.According to the analysis in Table 8, a recapitulation of the DSS06 capability level assessment questionnaire results concluded that it reached the Largelly Achieved (L) scale with a percentage of 68%.Based on the results of filling out questionnaires, interviews, and observations that researchers have carried out, the results of the recapitulation of the achievement of capability level in the ASN application are described in the following six sub-processes: The capability level assessment starts from level 1; according to the analysis from Table 9, the results of the recapitulation of the achievement of capability levels from the six process domains, namely DSS01, DSS02, DSS03, DSS04, DSS05, and DSS06, show the scale reaching Largely Achieved (L).So, it can be concluded that the ASN application audit process results on the domain are at level 1 and is not continued for the assessment process to level 2 [18].Level 1 performed process, which means that the process has been implemented and achieved the planned objectives and found evidence of work product output according to the COBIT 5 Process Assessment Model framework [22].Based on the results of interviews with ASN application managers, the desired level in the DSS01, DSS02, DSS03, DSS04, DSS05, and DSS06 sub-processes is at level 2 managed process, namely, the process has been implemented in a more organized way (planned, monitored, and adjusted).The resulting product has been adequately defined, controlled, and maintained [23].So, it can be concluded that the value of the gap is 1.

JINITA
After obtaining the capability level achieved at this time and the results of the expected level analysis in the DSS domain and gap analysis, the next step is the formulation of recommendations [24].Formulation of appropriate recommendations for ASN application managers in the DSS01, DSS02, DSS03, DSS04, DSS05, and DSS06 subprocesses.

DSS01 subdomain recommendations
Providing recommendations on DSS01 sub-domains that currently reach level 1performed process to get level 2 managed process include: a. Create documents to complete work product documents on DSS01 sub-domains, including Internal audit plans, incident tickets, IT facility environmental management reports, IT facility management, and security rules, and create IT asset monitoring rules.

DSS02 subdomain recommendations
Providing recommendations on DSS02 sub-domains that currently reach level 1performed process to get level 2 managed process include: a. Improve the complaint reporting system by adding features of complaint criteria, approved service requests, service requests that have been completed, and service satisfaction ratings from users of the disruption reporting system for services provided by officers.With this feature and making a resume, it will be able to fulfill work product documents on the DSS02 sub-domain.b.Monitor incident reports to be generated promptly c.Evaluation of service requests and nuisance complaint procedures.d.Analyze trends in service requests and incidents that occur

DSS03 subdomain recommendations
Providing recommendations on DSS03 sub-domains that currently reach level 1performed process to get level 2 managed process include: a. Create documents to complete work product documents in DSS03 sub-domains, including Problem classification scheme documents, documents on the results of studying problems that occur, Problem monitoring reports, and ongoing problem solution documents.b.Create a problem management catalog that is used to register and report identified issues and to establish an audit trail of the problem management process, which includes the status of each case (i.e., unworked on, in progress, or completed).c.Monitor the issue resolution process to get regular reports on the progress of troubleshooting during the troubleshooting process.d.Conduct regular meetings to discuss problems/incidents that have been identified and plan corrective steps.e. Monitor changes resulting from problem-solving process activities (e.g.problem fixes and identified errors) and report them to superiors to estimate possible costs if improvements occur.f.Identify problems and document permanent repair solutions to address the root cause systematically i. Assess the capability of a sustainable business plan after resuming business processes and services following a disruption/incident.

DSS05 subdomain recommendations
Providing recommendations on DSS05 sub-domains that currently reach level 1performed process to get level 2 managed process include: a. Create documents to complete work product documents on DSS05 sub-domains, including Incident ticket documents.b.Ensure and monitor access to IT assets (server rooms, buildings, areas, or zones) based on job functions and responsibilities.Also, perform monitoring of all entry points to the IT site.Register all visitors who enter IT assets.Furthermore, limit access to sensitive IT assets by setting perimeter boundaries, such as fences, walls, and security devices on interior and exterior doors.Ensure the device records the entry and triggers an alarm in case of unauthorized access.In the process of improving security, it is necessary to carry out regular physical security awareness training.c.It is necessary to establish procedures for regulating the receipt, use, transfer, and disposal of unique forms.In establishing procedures, it is essential to inventory sensitive documents and output devices and perform regular reconciliation.It is also necessary to physically protect particular structures and sensitive devices appropriately.d.It is necessary to maintain evidence collection procedures that align with forensic evidence rules and socialize all staff so that all staff know the requirements.e. Ensure security incident tickets are created promptly when monitoring identifies potential security incidents.

DSS06 subdomain recommendations
Providing recommendations on DSS06 sub-domains that currently reach level 1performed process to get level 2 managed process include: a. Create documents to complete work product documents on DSS06 sub-domains, including complete records on the results of processing effectiveness reviews, analysis documents and recommendations for the leading causes, information processing control report documents, retention requirements documents, b.Improve the identification and documentation of crucial business process control activities to meet the requirements of strategic, operational, reporting, and compliance control objectives.In addition, continuously improving the design and operation of ASN process control is necessary.c.Perform business process activities and control ASN applications by correcting and resending incorrect data without compromising the initial transaction authorization level.d.Improve data integrity and validity during the processing cycle.Verify the accuracy and completeness of the output.e. Periodically review the allocation of access rights and privileges based on predefined job roles.Also, allocate roles for sensitive activities so that there is a clear separation of duties.f.Establish and maintain procedures for assigning ownership, correcting errors, ruling out mistakes, and handling unbalanced conditions.g.Establish retention requirements based on business requirements to meet operational, financial reporting, and compliance needs.Dispose of source information, supporting evidence, and transaction records by retention policies.h.Implement data classification, acceptable use, and security policies and procedures to protect information assets.And identify and implement processes, tools, and techniques to properly verify compliance.

CONCLUSION
Based on the ASN information system audit analysis results, the DSS01, DSS02, DSS03, DSS04, DSS05, and DSS06 domains achieved capability level 1 perform process in ASN application management.It can be concluded that the ASN application manager has completed the goal by finding evidence of work product output according to the COBIT 5 Process Assessment Model framework.Suggestions for future research can use domains other than DSS to determine the development of the level of capability in other related fields or subdomain process chains, including EDM (Evaluate, Direct, and Monitor), MEA (Monitor, Evaluate and Assess), APO (Align, Plan and Organize) and BAI (Build, Acquire and Implement).

Figure 2 .
Figure 2. Process capability assessment model on COBIT 5 Level 2: managed process, i.e. the process at level 1 is implemented into a process setting (planned, monitored, and evaluated), and the work product of the process is appropriately defined, controlled, and maintained.Its attributes are: a.PA2.1 Performance management: measurement of process implementation arrangements to what extent.b.PA2.2 Work product management: Work products are produced by well-regulated processes measured to what extent 4. Level 3: Established process; that is, the process at level 2 is implemented using a method that has been defined and can achieve process results.Its attributes are: a. PA3.1 Process definition: Processes are defined to support the implementation of measured processes to what extent.b.PA3.2 Process deployment: Process standards implemented effectively are measured to what extent.5. Level 4: predicTable process, the process at level 3 is carried out with defined limits to achieve process results.The attributes are: a. PA4.1 process measurement: The measurement results are used to ensure that the implementation of the process can support the achievement of organizational goals measured to what extent.b.PA4.2 Process control: measurement of the extent to which processes are quantitatively arranged 5, No. 2, December 2023 DOI: doi.org/10.35970/jinita.v5i2.1971 3.

Table 2 .
Research respondents in the RACI Chart

Table 3 .
Recapitulation of the results of questionnaire processing in the DSS01 process Recapitulation of Questionnaire Results on Capability Level Assessment on DSS 01

Table 4 .
Recapitulation of Questionnaire Processing Results in the DSS02 process Recapitulation of Questionnaire Results on Capability Level Assessment on DSS 02

Table 6 .
Recapitulation of Questionnaire Processing Results in the DSS04 process Recapitulation of Questionnaire Results on Capability Level Assessment on DSS 04

Table 6 .
Recapitulation of Questionnaire Processing Results in the DSS05 process

Table 9 .
Image of the results of the recapitulation of capability level achievement Plan internal audits at least one time in 2 years.c. Monitor event logging so incident tickets are created promptly.d.Plan environmental and IT infrastructure management rules e. Plan staff capacity building in the management of IT infrastructure and environment.
Identify business processes and service activities critical to the ASN application's continuity.c.Plan, monitor, and evaluate ASN application continuity strategies in response to disruptions to obtain time and cost-saving options.d.Develop and implement plans to effectively maintain business continuity in responding to incidents in the event of disruption e. Plan and conduct regular continuity testing to implement the recovery plan against predetermined outcomes and develop recommendations to improve the continuity plan.f.Conduct periodic continuity capability reviews to ensure continued suitability, adequacy, and effectiveness.Manage plan changes through the change control process to maintain continuity plans.g.Plan training on procedures, roles, and responsibilities of staff in case of disruption.h.Determine backup data retention requirements with accessibility in mind.