Process Capability Assessment of Information Technology

Governance on Information and Communication Technology

Provider Company: Case Study on PT XYZ

Mulyana Chandra Hadiati

and Tb. M. Yusuf Khudri

Post

Graduate Student in

Master of Accounting, Universitas Indonesia, Salemba, Jakarta, Indonesia

Lecturer in Master of Accounting, Universitas Indonesia, Salemba, Jakarta, Indonesia

Keywords: IT Governance, Process Assessment Model using COBIT 5, Process Capability Level, Information and

Communication Technology Provider.

Abstract: Recently information technology (IT) is becoming more important for the organization in controlling and

improving their business performance. Considered as important role in the organization, IT frequently

represents significance amount of investment. High spending on IT investment raises the necessity of good

IT Governance implementation to ensure value realization, risk mitigation and practice of expected

behavior. Accordingly, ISACA defined Process Assessment Model (PAM) Using COBIT 5 for being a basis

in conducting process capability assessment to measure the IT Governance practice in an organization. In

this research, the assessment took place in one of the information and communication provider in Indonesia,

PT XYZ. In order to meet the research objective, this research collects data by literature review, observation

and interview. Process capability level is determined by judging the process attributes for each of 27

processes selected in the domain of EDM, APO, BAI, DSS, and MEA. Assessment result shows that

process capability of PT XYZ has achieved level of 3 (established process). Recommendations for process

improvement to level 4 are arranged with focus in defining and implementing analysis technique and control

limits.

1 INTRODUCTION

Organizations highly depend on information

technology (IT) to support business strategy,

operations, business value, and good governance

implementation (Satidularn, Wilkin, Tanner, &

Linger, 2013). As a technology with the purpose of

acquiring, storing, managing, processing, and

disseminating the processed data (Rajaraman, 2018),

IT is becoming more important for the organization

in controlling and improving their business

performance (Kerr & Murthy, 2013). Considered as

important role in the organization, IT frequently

represents significance amount of investment

(ISACA, 2012c).

High spending on IT investment raise the

necessity of good IT Governance implementation to

ensure value realization, risk mitigation and practice

of expected behavior (Satidularn, Wilkin, Tanner, &

Linger, 2013; IT Governance Institute, 2009). IT

Governance is defined as alignment between IT

organization with performance goal, strategic

objective and assess the result (Barbosa, Rodello, &

de Padua, 2014). Inline with developing an interest

in IT governance, assessment, and improvement of

IT governance are necessary for enabling

organizations to monitor the effectivity of IT

(Heroux & Fortin, 2017).

One model for conducting process capability

assessment to measure the IT governance practice in

an organization is defined by ISACA as Process

Assessment Model (PAM) using COBIT 5 (ISACA,

2013a). PAM COBIT 5 is a two-dimensional

process capability assessment, with COBIT 5

processes in the first dimension and capability

dimension in the second dimension (ISACA, 2013a).

COBIT 5 is a comprehensive framework that

enables organizations to achieve their objective in IT

governance and management (Romney & Steinbart,

2017).

In this research, the assessment took place in one

of the information and communication provider in

Indonesia, PT XYZ. All of the business processes in

Hadiati, M. and M. Yusuf Khudri, T.

Process Capability Assessment of Information Technology Governance on Information and Communication Technology Provider Company: Case Study on PT XYZ.

DOI: 10.5220/0008427100180027

In Proceedings of the 2nd International Conference on Inclusive Business in the Changing World (ICIB 2019), pages 18-27

ISBN: 978-989-758-408-4

PT XYZ use IT applications as directed by their

parent company X. Based on an interview with the

ICT Delivery Manager of PT XYZ, the budget for

IT expenditure is around IDR 90 Billion annually.

These are for fulfilling PT XYZ IT devices and

services requirement such as PC, storage, LAN &

WLAN, WAN, voices, video, teleconference bridge,

the specific application for each department,

network management, incident and problem

management. Most of IT devices and services are

outsourced, so most of the budget is allocated for IT

expenses. COBIT is an IT governance framework

that can be applied to outsourced IT with an

integrated way and providing a tool to assess,

monitor, and evaluate performance (Ahmed, 2011).

Regarding the important role and significant

expense of IT, there is a need to evaluate the IT

governance in PT XYZ. The evaluation use

methodology of PAM COBIT 5. The objective of

the research is to measure the capability process

level of IT governance in PT XYZ, prioritize COBIT

5 processes for improvement plan, and identify

practical improvement plan.

2 LITERATURE REVIEW

2.1 IT Governance

IT governance is the responsibility of the board of

directors and the top management of the

organization (Turel, Peng, & Bart, 2017; IT

Governance Institute, 2003). IT governance consists

of policies, structures, and processes of management

that involve IT function (Barbosa, Rodello, & de

Padua, 2014). Just as corporate governance has been

driven by the imperative to manage firms’

operations to more effectively meet shareholder

expectations, so have firms focused on IT

governance to achieve similar IT accountabilities

(Heroux & Fortin, 2017; Wilkin & Chenhall, 2010).

IT governance is an integral part of corporate

governance (Juiz, Guerrero, & Lera, 2014). The key

concept of IT governance and corporate governance

are similar in definition, principles, the subject,

function, performance measurement management,

and goals (Satidularn, Wilkin, Tanner, & Linger,

2013). The distinction is one, IT governance tends to

more focus on IT related issues, while corporate

governance emphasis on enterprise-wide issues

(Satidularn, Wilkin, Tanner, & Linger, 2013). The

main focus area of IT governance can be divided

into five parts: strategic alignment, value delivery,

risk management, resource management, and

performance measurement (Heindrickson & Santos

Jr, 2014).

2.2 COBIT 5 Framework

Information Systems Audit and Control Association

(ISACA) have introduced Control Objective for

Information and Related Technology (COBIT) 5 as

the latest generation of IT governance and IT

management guidelines (ISACA, 2012). The COBIT

5 framework describes best practices for the

effective governance and management of IT

(Romney & Steinbart, 2017). Recently expert IT

professionals judge the COBIT processes in terms of

their importance for maintaining effective internal

control over the reliability of financial reporting

(Kerr & Murthy, 2013).

2.2.1 COBIT 5 Principles

COBIT 5 is a comprehensive framework that helps

enterprises achieve their IT governance and

management objectives (Romney & Steinbart,

2017). COBIT 5 is generic and useful for enterprises

of all sizes, whether commercial, not-for-profit or in

the public sector (ISACA, 2012). COBIT 5 is based

on five key principles for governance and

management of enterprise IT (ISACA, 2012), as in

Figure 1. The principles are (1) meeting stakeholder

needs, (2) covering the enterprise end-to-end, (3)

applying a single integrated framework, (4) enabling

a holistic approach, separating governance from

management.

Figure 1: COBIT 5 Principles. (Source: ISACA (2012))

2.2.2 COBIT 5 Process Reference Model

COBIT 5 includes a process reference model,

Process Capability Assessment of Information Technology Governance on Information and Communication Technology Provider Company:

Case Study on PT XYZ

defining and describing in detail several governance

and management processes (ISACA, 2012b). The

proposed process model is a complete,

comprehensive model, but it is not the only possible

process model. Each enterprise must define its own

process set, taking into account its specific situation

(ISACA, 2012). These are 37 COBIT 5 processes

grouped into five domains.

A. The domain of Evaluate, Direct and Monitor

(EDM) consists of 5 processes.

1. Ensure governance framework setting and

maintenance (EDM01)

2. Ensure benefit delivery (EDM02)

3. Ensure risk optimization (EDM03)

4. Ensure resource optimization (EDM04)

5. Ensure stakeholder transparency (EDM05)

B. The domain of Align, Plan and Organize (APO)

consists of 13 processes.

6. Manage the IT Management Framework

(APO01)

7. Manage strategy (APO02)

8. Manage enterprise architecture (APO03)

9. Manage innovation (APO04)

10. Manage portfolio (APO05)

11. Manage budget and costs (APO06)

12. Manage human resources (APO07)

13. Manage relationships (APO08)

14. Manage service agreements (APO09)

15. Manage suppliers (APO10)

16. Manage quality (APO11)

17. Manage risk (APO12)

18. Manage security (APO13)

C. The domain of Build, Acquire and Implement

(BAI) consists of 10 processes.

19. Manage programs and projects (BAI01)

20. Manage requirements definition (BAI02)

21. Manage solutions identification and build

(BAI03)

22. Manage availability and capacity (BAI04)

23. Manage organizational change enablement

(BAI05)

24. Manage changes (BAI06)

25. Manage change acceptance and transitioning

(BAI07)

26. Manage knowledge (BAI08)

27. Manage assets (BAI09)

28. Manage configuration (BAI10)

D. The domain of Deliver, Service and Support

(DSS) consists of 6 processes.

29. Manage operations (DSS01)

30. Manage service requests and incidents

(DSS02)

31. Manage problems (DSS03)

32. Manage continuity (DSS04)

33. Manage security services (DSS05)

34. Manage business process controls (DSS06)

E. The domain of Monitor, Evaluate and Assess

(MEA) consists of 3 processes.

35. Monitor, evaluate, assess performance and

conformance (MEA01)

36. Monitor, evaluate, assess the systems of

internal controls (MEA02)

37. Monitor, evaluate, assess compliance with

external requirements (MEA03)

2.3 Process Assessment Model (PAM)

The process assessment model is a two-dimensional

model of process capability (ISACA, 2013a). In one

dimension, the process dimension is defined and

classified into process categories as process

reference model COBIT 5. In the other dimension,

the capability dimension, a set of process attributes

grouped into capability levels is defined (ISACA,

2013a). Overview of PAM is shown in Figure 2.

Figure 2: Overview of the Process Assessment Model

(PAM). (Source: ISACA (2013a))

Process Capability Model itself is defined by

ISACA as a Process Assessment Standard based on

internationally recognized ISO/IEC 15504 Software

Engineering (ISACA, 2012). The model provides a

method to measure the performance of IT

governance processes or management processes and

identify process improvement (ISACA, 2012).

Process capability is a characterization of the ability

of a process to meet current or projected business

goals (ISACA, 2013a). PAM COBIT 5 classify the

Capability Dimension

ICIB 2019 - The 2nd International Conference on Inclusive Business in the Changing World

assessment result of process attributes into six

process capability levels as follows (ISACA, 2013a).

 Level 0 Incomplete process. The process is not

implemented or fails to achieve its process

purpose.

 Level 1 Performed process. The implemented

process achieves its process purpose.

 Level 2 Managed process. The process is now

implemented in a managed fashion, and its work

products are appropriately established, controlled

and maintained.

 Level 3 Established process. The process is now

implemented using a defined process that is

capable of achieving its process outcomes.

 Level 4 Predictable process. The process now

operates within defined limits to achieve its

process outcomes.

 Level 5 Optimizing process. The process is

continuously improved to meet relevant current

and projected business goals.

The capability level of a process is determined on

the basis of specific process attributes according to

ISO/IEC 15504-2:2003 (ISACA, 2013a). Table 1

shows process attributes for every capability levels.

Table 1: Capability Levels and Process Attributes.

(Source: ISACA (2013a))

Process

Attribute ID

Capability Levels and Process

Attributes

Level 0: Incom

lete

rocess

Level 1: Performed process

PA 1.1 Process Performance

Level 2: Managed Process

PA 2.1 Performance mana

ement

PA 2.2 Work

roduct mana

ement

Level 3: Established

rocess

PA 3.1 Process definition

PA 3.2 Process deployment

Level 4: Predictable process

PA 4.1 Process measurement

PA 4.2 Process control

Level 5: O

timizin

rocess

PA 5.1 Process innovation

PA 5.2 Process optimization

Each process attribute is rated using a standard

rating scale defined in the ISO/IEC 15504 standard

(ISACA, 2013a). Table 2 shows the rating scale in

terms of percentage achieved (ISACA, 2013a).

Table 2: Rating Levels. (Source: ISACA (2013a))

Rate Descri

tion % Achieve

N Not Achieve

0 to 15% achievement

P Partially Achieve

>15% to 50% achievement

L Largely Achieve

>50% to 85% achievement

F Full

Achieve

>85% to 100% achievement

3 RESEARCH OBJECT AND

METHODOLOGY

3.1 Research Object

The research took place in one of the information

and communication technology provider in

Indonesia, PT XYZ. PT XYZ is established and

mostly owned by Parent Company X which domicile

in Sweden. PT XYZ is the authorized provider for

information and communication technology Brand

X. Main activities of PT XYZ are to sell and deliver

network solution to their customers who are mainly

telecommunication provider in Indonesia. The

network solution consists of hardware, software, and

network services under Brand X.

Parent Company X and its subsidiaries around

the world, including PT XYZ, form a Global Group

X with one global company approach with Parent

Company X as the top management. PT XYZ is in

the Market Area of South East Asia, India and

Oceania. As one of local entity under Global Group

X, PT XYZ must comply with local government law

and corporate governance requirement of Global

Group X. PT XYZ is also required to set up and

implement corporate governance forums.

PT XYZ, as instructed by Global Group X,

follows a matrix organization structure. Matrix

management is a practice of managing individuals

with more than one reporting line (Johson & Geal,

2016). The dual reporting line is to functional

organization and to project organization (Min,

2014). In PT XYZ direct reporting line (represented

by solid line) under President Director is only from

Government Relation & Advisor and three Key

Account Manager. While reporting line from other

functions like Business Controller, Head of Network

Operations, Head of Commercial Management, are

indirect reporting that is represented by dotted line.

Those other functions directly report to their line

manager in Market Area. Figure 3 shows the

organization structure of PT XYZ.

As a focal point for IT management

responsibility in PT XYZ, ICT Delivery Manager

directly report to his manager, Head of Digital

Transformation & IT in Market Area. In PT XYZ

ICT Delivery Manager indirectly reports to Business

Controller. The main responsibilities of ICT

Delivery Manager are (1) ensure IT solution

implementation complies to Global Group X

requirement, (2) implement IT governance and IT

solution process framework, and (3) comply to the

Process Capability Assessment of Information Technology Governance on Information and Communication Technology Provider Company:

Case Study on PT XYZ

directive of security, sustainability, occupational

health of Global Group X.

Figure 3: Organization Structure of PT XYZ. (Source:

Interview with ICT Delivery Manager of PT XYZ)

IT Governance in PT XYZ is also part of IT

governance in Global Group X which is regulated in

IT governance directives, instructions, and guidance.

Key decisions of IT governance in PT XYZ are

taken with blend: 70% decisions made by IT

Executives in Parent Company X, 20% decisions

made by Executive Management and IT Executives

altogether, and 10% decisions made locally by IT

Division in PT XYZ. 70% of decisions made by IT

Executives in Parent Company X are about IT

architecture, infrastructure, investment, and priority.

20% of decisions by Executive Management and IT

Executives are IT strategies and principles. 10% of

decisions made locally are about IT application

requirement based on local business of PT XYZ.

As instructed by Parent Company, all of the

business processes in PT XYZ use IT applications

and devices. IT devices and services required by PT

XYZ are PC, storage, LAN & WLAN, WAN,

voices, video, teleconference bridge, the specific

application for each department, network

management, incident, and problem management.

All of these devices are outsourced to IT vendors

which are decided by IT Executives in Parent

Company X with procurement mechanism provided

in Global Group X. ICT Delivery Manager is

responsible for local IT readiness, implementation

schedule, alignment of IT solution with business,

and IT solution change if needed by the business.

Most of IT applications used on PT XYZ

business process are mandatory applications from IT

Executives in Parent Company X. This secure

alignment between IT applications used and

business process in PT XYZ which is arranged by

Business Executives in Parent Company X. PT XYZ

also develop a few applications locally due to a

business requirement from a customer that cannot be

satisfied by mandatory applications. Local

applications use platform and hosting server from

local IT vendors. The weakness of local applications

is having no escalation mechanism to Market Area

or Parent Company X if a problem occurs.

There are three IT governance forums adhered

by ICT Delivery Manager PT XYZ regularly. The

first one is IT Supplier Governance Meeting which

is attended by IT vendors and purposed to review

vendor’s IT services compliance towards directives

from Parent Company X and Market Area. The

second forum is IT Governance meeting with

stakeholders which is attended by President Director

PT XYZ, Business Controller, Head of HR and

Head of Security. The meeting's purpose is to

coordinate and evaluate the IT implementation,

procedure, and project in PT XYZ. The third forum

is IT Vertical Meeting Specific Component IT

Service which is attended by service owner and IT

leader specific per component in Parent Company X

and Market Area. The forum’s purpose is to review

specific component towards its compliance to

Global directives and escalate problems happened in

Market Area together with solution proposal.

3.2 Research Method

This research uses the qualitative method with a case

study approach. Data collected by literature review,

observation and interview. Collected data will be

analyzed using PAM COBIT 5 with approach self-

assessment process.

Self-assessment process is an approach which is

able to identify the process capability gap that needs

improvement with relatively small investment

(ISACA, 2013c). Even though it tends to be more

subjective and optimistic, self-assessment can be

employed to be a prerequisite assessment to assist

management for deciding the target of process

capability level (ISACA, 2013c).

ICIB 2019 - The 2nd International Conference on Inclusive Business in the Changing World

Figure 4: Self-assessment Process. (Source: ISACA

(2013c))

Figure 4 shows the steps of the self-assessment

process as the following description.

 Step 1: Decide on the process to assess –

scoping.

In the first step, COBIT 5 processes will be

sorted for assessment using Scoping Tool in

Process Assessment Model (PAM) Tool Kit:

Using COBIT 5 (ISACA, 2013b). In scoping,

author map enterprise goals of PT XYZ to

enterprise goals of COBIT 5. After that, the

sorted enterprise goals of COBIT 5 will be

mapped to IT-related goals of COBIT 5 based on

Scoping Tool. The selected IT-related goals are

the ones that have a primary important relation to

enterprise goals. Then the selected IT-related

goals will be mapped to COBIT 5 Processes

using Scoping Tool. The final identified COBIT

5 Processes are the processes with important

primary relation to IT-related goals.

 Step 2: Determine level 1 capability.

After scoping, author and ICT Delivery Manager

of PT XYZ determine if the identified COBIT 5

processes are achieving process capability level

1. The author uses Self-assessment Template

from ISACA (2013b). Indicators in process

attribute (PA) 1.1 are specific for every process.

While assessing every indicator in PA 1.1, there

is a need for judgment to decide the rating level

given to every indicator. Please refer to Table 2

for the rating level of PA 1.1 based on outcome

percentage. One process is achieving level 1

capability if only rated “L – largely achieved” or

“F – fully achieved" for every indicator in PA

1.1.

 Step 3: Determine the capability for levels 2 to 5.

For processes achieving capability level 1, an

assessment will be continued to determine

capability for levels 2 to 5. In assessing

capability level 2 and above, indicators of

process attributes are generic for every process.

The author uses the Self-assessment Template

from ISACA (2013b). As assessing capability

level 1, there is a need for judgment to decide the

rating level given to every indicator on capability

level 2 to 5, and please see Table 2 for the rating

levels based on outcome percentage.

 Step 4: Record and summarise capability levels.

The capability level of a process is determined by

whether the process attributes at that level have

been largely or fully achieved and whether the

process attributes for the lower levels have been

fully achieved (ISACA, 2013c). Table 3 shows

the necessary rating for achieving each level. The

summary of capability levels for each process

will be recorded in-process assessment result

table from ISACA (2013b).

Table 3: Levels and Necessary Ratings. (Source: ISACA

(2013c))

Scale PA ID Process Attribute Rating

Level 1 1.1 Process Performance L or F

Level 2

1.1

2.1

2.2

Process Performance

Performance Management

Work Product Management

L or F

Level 3

1.1

2.1

2.2

3.1

3.2

Process Performance

Performance Management

Work Product Management

Process Definition

Process De

ment

L or F

Level 4

1.1

2.1

2.2

3.1

3.2

4.1

4.2

Process Performance

Performance Management

Work Product Management

Process Definition

Process Deployment

Process Measurement

Process Control

L or F

Level 5

1.1

2.1

2.2

3.1

3.2

4.1

4.2

5.1

5.2

Process Performance

Performance Management

Work Product Management

Process Definition

Process Deployment

Process Measurement

Process Control

Process Innovation

Process Optimization

L or F

Process Capability Assessment of Information Technology Governance on Information and Communication Technology Provider Company:

Case Study on PT XYZ

 Step 5: Plan process improvement.

Author together with ICT Delivery Manager

evaluates the gap between the target of capability

levels and current achievement. The

improvement plan will be arranged based on gap

evaluation with a focus on prioritized processes

to be improved, a target of capability levels, a

time required, resources needed, and estimated

budget for achieving the target.

4 CASE STUDY

4.1 Decide on Process to Assess

For scoping purpose, the author uses the enterprise

goal of PT XYZ stated in the Growth Plan document

as a base to decide. The goal is “To be the number 1

business partner to our customers by delivering the

best ICT transformation with superior customer

experience through our best in class end-to-end

capabilities”. Based on author's assumption and

confirmation to ICT Delivery manager, the

enterprise goal of PT XYZ is mapped to three

COBIT 5 Enterprise Goals: (1) Customer-oriented

service culture, (2) Operational and staff

productivity, (3) Skilled and motivated people.

Next, identified COBIT 5 enterprise goals are

mapped to COBIT 5 IT-related goals (ITRG) using

Scoping Tool. The author only selects IT-related

goals that having a primary important relation to

enterprise goals. The mapping obtains four ITRG:

(1) Alignment of IT and business strategy, (2)

Delivery of IT services in line with business

requirements, (3) Adequate use of applications,

information and technology solutions, (4)

Competent and motivated business and IT personnel.

Then four identified ITRG are mapped to COBIT

5 processes based on Scoping Tool. The mapping

only selects COBIT 5 Processes with important

primary relation to identified ITRG. This step results

27 COBIT 5 processes, i.e. EDM01, EDM02,

EDM04, EDM05, APO01, APO02, APO03, APO04,

APO05, APO07, APO08, APO09, APO10, APO11,

BAI01, BAI02, BAI03, BAI04, BAI05, BAI06,

BAI07¸ DSS01, DSS02, DSS03, DSS04, DSS06,

MEA01.

4.2 Determine Capability Process

Levels

After scoping done, next step is to determine the

capability process level for every 27 identified

COBIT 5 processes. Each of process’ assessment is

started with capability level 1 determination by

rating every indicator in Process Attribute (PA) 1.1.

If all indicators in PA 1.1 are passed with rating F

(fully achieved), then the process' assessment

continues with the determination of capability level

2 to 5. In assessing capability level 2 to 5 for each

process, process attributes must be rated

consecutively, i.e., PA 2.1, 2.2, 3.1, 3.2, 4.1, 4.2, 5.1

and 5.2. A process would be assessed to next level if

it has fulfilled all process attributes in the lower

level with rating F (fully achieved), e.g., a process

can achieve capability level 3 if only all process

attributes in capability level 1 and 2 have covered

>85% to 100% of achievement or rated F.

For assessing the capability levels, the author has

interviewed ICT Delivery Manager PT XYZ about

27 identified processes. The author fills in the Self-

assessment Template based on the interview

transcript. After filling in Self-assessment Template,

then author record each process’ achievement in

Detailed Assessment Schedule. Example of the

schedule for process EDM01 is shown in Table 4.

Table 4: Detailed Assessment Schedule of Process

EDM01.

Process

Name

LEVEL

0 1 2 3 4 5

EDM01

1.1

2.1

2.2

3.1

3.2

4.1

4.2

5.1

5.2

Rating

Criteria

F F F F F F F P N N

Capability

Level

Achieve

Based on Table 4, process EDM01 achieves

capability level 3 with rating F (fully achieved). On

PA 4.1 this process is also rated F, but rated P

(partially achieved) in PA 4.2. It means that process

EDM01 does not meet the necessary rating for

achieving capability level 4.

Similar detailed assessment schedules are created

for each 26 other identified processes based on Self-

assessment Template of each process.

4.3 Summarize Capability Levels

Assessment result of 27 identified processes shows

all processes achieves rating F (achievement of

>85% to 100%) on process attribute PA 1.1 to 4.1

but achieves rating P (achievement of >15% to 50%)

on PA 4.2. Therefore every process are scored 3.5.

ICIB 2019 - The 2nd International Conference on Inclusive Business in the Changing World

Figure 5 shows the current condition of process

capability in PT XYZ towards its target.

Figure 5: Result Diagram of Process Capability

Assessment PT XYZ.

Based on the necessary rating of capability level

from ISACA (2013c), every process achieves

capability level 3 or established process. It shows

that PT XYZ has implemented the defined IT

processes for achieving process’ outcomes. Every

process achieves rating F for PA 4.1, and it means

that processes have been measured using a defined

process and the measurement results have been

analyzed and reported. Meanwhile, PA 4.2 is rated

P, it means PT XYZ has not defined analysis

technique and control for measurement result data.

Besides, control limits have not been implemented

for variance of process performance. Table 5 shows

every process’ target of capability level, current

condition, and gaps between them.

Table 5: Capability Level Target, Current Condition, and

Gaps in PT XYZ.

Identified

Process

Capability Level

Target

Current

Condition

Gap

1 EDM01 4 3.5 0.5

2 EDM02 4 3.5 0.5

3 EDM04 4 3.5 0.5

4 EDM05 4 3.5 0.5

5 APO01 4 3.5 0.5

6 APO02 4 3.5 0.5

7 APO03 4 3.5 0.5

8 APO04 4 3.5 0.5

9 APO05 4 3.5 0.5

10 APO07 4 3.5 0.5

11 APO08 4 3.5 0.5

12 APO09 4 3.5 0.5

13 APO10 4 3.5 0.5

14 APO11 4 3.5 0.5

15 BAI01 4 3.5 0.5

16 BAI02 4 3.5 0.5

17 BAI03 4 3.5 0.5

18 BAI04 4 3.5 0.5

19 BAI05 4 3.5 0.5

20 BAI06 4 3.5 0.5

21 BAI07 4 3.5 0.5

22 DSS01 4 3.5 0.5

23 DSS02 4 3.5 0.5

24 DSS03 4 3.5 0.5

25 DSS04 4 3.5 0.5

26 DSS06 4 3.5 0.5

27 MEA01 4 3.5 0.5

4.4 Plan Process Improvements

In arranging plan for process improvement, author

explains the gap between assessment result and

target as Table 5 to ICT Delivery Manager. Because

of every process poses gap of 0.5, author suggests to

plan improvement for every identified process.

Improvement plan encompass activities to define

and implement analysis technique for every process

performance data, to define and implement every

process performance control, and to define control

limits for every process performance variance.

Discussion between author and ICT Delivery

Manager leads to prioritize two processes in

planning the process improvement due to resource

limitations. Those are processed Manage suppliers

(APO10), and process Manage solutions

identification and build (BAI03). Both are

prioritized because of its importance in affecting the

performance of IT Division generally. Process

Manage suppliers (APO10) is considered important

because most of IT expense are allocated to pay

suppliers in providing IT devices and services

requirement in the scheme of operational lease

expense. Process Manage solutions identification

and build (BAI03) is important because besides

employing solution defined by IT Executives in

Parent Company X, PT XYZ also identifies and

build its own IT solution based on business

requirement and customer request.

Discussion results of an improvement plan for

process Manage suppliers (APO10) are as follows.

 Activities: (1) Escalate to IT Executives, (2)

Define analysis technique, control technique, and

control limit of suppliers’ performance, (3) Set

up project and prepare infrastructure that focuses

on process improvement, (4) Analyze the

Process Capability Assessment of Information Technology Governance on Information and Communication Technology Provider Company:

Case Study on PT XYZ

possibility of change for service level agreement

(SLA), (5) Insert the defined analysis technique,

control technique, and control limit of suppliers’

performance in SLA, (6) Request for additional

services to meet newly improved SLA.

 Time Plan: two years.

 Required Resource: Sourcing Specialist Expert

and Sourcing Team.

 Estimated Budget: SEK 200,000 or IDR

316,745,790.

Plan for process improvement regard to BAI03 or

Manage solutions identification and build are as

follows.

 Activities: (1) Escalate to IT Executives, (2)

Identify the control of solution performance

required by business, (3) Define analysis

technique, control technique, and control limit

for solution performance variance, (4) Set up

project and prepare infrastructure for focus on

process improvement, (5) Implement analysis

technique and control limit of solution

performance, (6) Insert technique analysis,

control technique, and control limit of solution

performance variance in Solution Definition.

 Time Plan: two years.

 Required Resource: Solution Expert, Business

Analyst, Market Area IT Team.

 Estimated Budget: SEK 100,000 or IDR

158,372,895.

5 CONCLUSIONS

Based on a case study of process capability

assessment on PT XYZ as one of ICT provider in

Indonesia, the author concludes as follows. First, a

result of process capability assessment PT XYZ with

a method of PAM COBIT 5 shows score 3.5. This

score categorizes PT XYZ achieve capability level 3

or established process. It means that PT XYZ has

implemented the defined IT processes for achieving

process outcome.

The second conclusion is two processes being

prioritized for process improvement plan, i.e., the

process of Manage suppliers (APO10) and a process

of Manage solutions identification and build

(BAI03). Both are prioritized because of its

importance in affecting the performance of IT

Division generally. APO10 is prioritized because

most of IT expense are allocated to pay suppliers in

providing IT devices and services requirement in a

scheme of operational lease expense. BAI03 is

considered important because PT XYZ needs to

identify and build its own IT solution based on

business requirement and customer request, besides

using a mandatory solution from Parent Company X.

The third, the process of APO10 can be

improved by activities mainly in definition and

implementation of analysis techniques, control

technique, control limit of supplier's performance

variance, and insert it all in improved SLA. Process

improvement of APO10 requires time plan of two

years and estimated budget IDR 316,745,790 with

resource support from Sourcing Specialist Expert

and Sourcing Team. The process of BAI03 can be

improved by activities mainly in the identification of

control for solution performance as required by

business, the definition of analysis technique,

control technique, control limit of solution

performance variance, and insert it all to Solution

Definition. Process improvement of BAI03 requires

time plan of two years and estimated budget IDR

158,372,895 with resource support from Solution

Expert, Business Analyst, and Market Area IT

Team.

Several limitations are noted by the author. First,

the assessment tends to be subjective only from the

IT Division in PT XYZ. The chairman of the IT

Steering Committee in PT XYZ, the Business

Controller, is not involved in the assessment due to

access limitation. Second, the author's subjectivity

also affects the assessment result. Because the

author is the one who identifies COBIT 5 process to

be assessed and works on capability level decision

based on an interview with ICT Delivery Manager.

Third, the limitation of research time duration

probably affects the collection of data and

information.

Suggestions are also arranged by the author as

follows. For PT XYZ, a process improvement plan

for two prioritized processes is highly recommended

to be implemented for better IT governance

implementation. For Parent Company X, they must

support and monitor the process improvement plan

in PT XYZ due to the important role of Parent

Company X in taking decisions related to IT. For

future research, it is recommended to involve the

chairman of IT Steering Committee of PT XYZ,

who is the Business Controller so that the

assessment will be more objective from the

perspective of business and IT.

REFERENCES

Ahmed, Adesanya. 2011. Using COBIT to Manage the

ICIB 2019 - The 2nd International Conference on Inclusive Business in the Changing World

Benefit, Risk and Security of Outsourcing Cloud

Computing. COBIT Focus Volume 2.

https://www.isaca.org/Knowledge-

Center/Documents/Using-COBIT-to-Manage-the-

Benefits-Risks-and-Security-of-Outsourcing-Cloud-

Computing.pdf

Barbosa, S. C. B., Rodello, I. A., & de Padua, S. I. D.

2014. Performance Measurement of Information

Technology Governance in Brazilian Financial

Instituions. Journal of Information Systems and

Technology Management Vol. 11 No. 2, 397-414.

Heindrickson, G., & Santos Jr., C. D. 2014. Information

Technology Governance In Public Organizations:

How Perceived Effectiveness Relates To Three

Classical Mechanisms. Journal of Information Systems

and Technology Management Vol. 11 No. 2, 297-326.

Heroux, S., & Fortin, A. 2017. Exploring the Influence of

Executive Management Diversity on IT Governance.

Journal of Information Systems and Technology

Management Vol. 14 No. 3, 401-429.

ISACA. 2013a. Process Assessment Model (PAM): Using

COBIT 5, ISACA. Rolling Meadows.

ISACA. 2013b. Process Assessment Model (PAM) Tool

Kit: Using COBIT 5, ISACA. Rolling Meadows.

http://www.isaca.org/COBIT/Pages/COBIT-5-PAM.aspx

ISACA. 2013c. COBIT Self-assessment Guide: Using

COBIT 5, ISACA. Rolling Meadows.

ISACA. 2012. COBIT 5: A Business Framework for the

Governance and Management of Enterprise IT,

ISACA. Rolling Meadows.

Johnson, B., & Geal M. 2016. Matrix Management.

Training Journal January 2016, 28-31.

www.trainingjournal.com

Juiz, C., Guerrero, C., & Lera, I. 2014. Implementing

Good Governance Principles for the Public Sector in

Information Technology Governance Framework.

Open Journal of Accounting 2014, 9-27.

Kerr, D.S., & Murthy, U.S. 2013. The Importance of the

COBIT Framework IT Processes for Effective Internal

Control Over Financial Reporting in Organizations:

An International Survey. Elsevier Information &

Management The International Journal of Information

Systems Application, 590-597.

Min, Y.C., Li, C.L., Ching, P.H., & Chih, M.H. 2014.

Matrix Organization Process Reengineering for

Construction Firms. Journal of Management in

Engineering.

Rajaraman, V. 2018. Introduction to Information

Technology, PHI Learning Private Limited. Delhi, 3

edition.

Ratih, I. G. A. D. S., Bayupati, I. P. A., & Sukarsa, I. M.

2014. Measuring the Performance of IT Management

in Financial Enterprise by Using COBIT. I.J.

Information Engineering and Electronic Business

2014, 15-24.

Romney, M. B., & Steinbart, P. J. 2017. Accounting

Information System, Pearson Education Limited.

Essex, 14

edition.

Satidularn, C., Wilkin, C., Tanner, K., & Linger, H. 2013.

Investigation of the Relationship between IT

Governance and Corporate Governance. Proceedings

of the International Conference on Management,

Leadership and Governance, 420-423.

Turel, O., Peng, L., & Bart, C., 2017. Board-Level

Information Technology Governance Effects on

Organizational Performance: The Roles of Strategic

Alignment and Authoritarian Governance Style. In

Journal Information System Management Vol. 34 No.

2, 117-136.

APPENDIX

In assessing capability level for every identified

process, a Self-assessment Template must be filled

in. The template is filled in based on interview about

process capability with ICT Delivery Manager of PT

XYZ. Few part of the interview transcript is shown

as follows.

Interview Transcript of Process Capability

Assessment with ICT Delivery Manager.

Interview Date: 2018 November 19, 21, 22, 26, 27,

and 28

Respondent: ICT Delivery Manager PT XYZ

1. Question: Are there any documents exist to guide

IT Governance in PT XYZ, decision making

model, and authority level?

Answer: As I have explained previously,

decision making authority related to IT in every

entities in Global Group X is divided as: 70%

made by IT Executives in Parent Company X,

20% decision made by Senior Management of

Parent Company X together with IT Executives,

10% decision made locally in PT XYZ.

Documents related to IT Governance, decision

making model, and authority level are arranged

by Parent Company X. Those are defined in

document of IT Governance Model Directive and

Global Group X Management System Directive.

2. Question: Are there any reward system

implemented to IT Division?

Answer: Reward system is included in Human

Resource Management System implemented by

HR Division based on KPI evaluation score from

line manager. HRMS system is also defined in

Group Directive and Group Instruction.

Process Capability Assessment of Information Technology Governance on Information and Communication Technology Provider Company:

Case Study on PT XYZ