Identification of IT Governance Capability Level of COBIT 2019 at The KOMINFO City of Bitung, North Sulawesi

Effective information technology governance (ITG) is vital for managing risks and ensuring proper oversight of IT in government organizations and enterprises. However, many organizations struggle with implementing effective ITG strategies, resulting in a higher likelihood of cybersecurity breaches, operational inefficiencies, and financial losses. This study addresses the urgency of improving ITG by assessing the capability level of ITG within the Ministry of Communication and Information Technology (KOMINFO) in Bitung, North Sulawesi, using the widely recognized COBIT 2019 framework. By conducting interviews with key IT personnel, the study quantifies the capability level of eleven core models and highlights areas that require improvement. The results underscore the critical importance of designing and implementing effective IT governance to mitigate risks and enhance IT oversight in government organizations and enterprises. The study's findings can serve as a foundation for future efforts to improve IT governance in KOMINFO and other organizations, ultimately contributing to a safer and more secure IT environment.


Introduction
Information Technology Governance, or IT Governance, is important in monitoring or managing information technology and the risks in a company and even agencies.Without good governance in a company, it will not be easy to see how high the performance of IT implementation is a company.To achieve the vision and mission of the company, the company requires IT Governance that can increase maximum profits [2].The problem of Information Technology Governance is the responsibility of companies and government agencies such as the Ministry of Communication and Information Technology (KOMINFO).
The KOMINFO is part of the national ministry of the Indonesian government.Public services for communication and information technology in the community are managed and administered by KOMINFO.It makes KOMINFO an important agency in the continuity of the service process to the local community.Tasks and functions that are part of the KOMINFO to organize government affairs in terms of helping to provide data collection related to information from the public to the government include several things, namely, the policies formulation and determination and policies in the resource management and guidance field and providing administrative support within the KOMINFO and others [3].The KOMINFO has many duties and responsibilities in supporting services for the community.To help it, they need to structure good technology and system governance so that services can be conducted properly.
IT Governance can be done with various frameworks, including COBIT (Control Objective for Information and related Technology).COBIT is an IT governance framework intended for management, staff, the IT department, to business people to ensure the confidentiality and availability of company data integrity; that has five scopes: EDM Domain regulating evaluation to framework briefing, APO Domain regulating to planning framework, BAI Domain building to framework implementation, DSS Domain serving user services, and MEA Domain providing performance evaluation of framework [4].COBIT can measure the balance of information technology with business objectives to create the expected business alignment.COBIT is also a framework recommendation based on SOE Ministerial Regulation No. PER-03/MBU/02/2018 [5].It is of utmost urgency that KOMINFO undergoes an assessment with the latest COBIT audit framework, COBIT 2019, as it has never been assessed with it.
With the design of IT governance, it is expected to help find out what design factors affect governance in the company.Therefore, this research aims a to identify the capability level on the ITG design at Bitung City's KOMINFO, by using the 2019 COBIT framework.COBIT 2019 can result in a structured governance system to see the management and important priorities in the company in maximizing IT.Thus, the research question would be "What is the COBIT 2019 capability level does the KOMINFO of Bitung City has?" and this research is about to answer it.

Information Technology Governance
Information Technology (IT) governance is an obligation of executive management managers in implementing the IT strategies monitoring and implementation to maintain alignment between IT and business processes, matrix introduction to determine the value of IT and manage IT risks maximally.IT governance can provide the right solution for organizations, such as government organizations and specialized companies, in developing IT investments and implementation and equalizing the risks [6].In addition, IT governance is responsible for ensuring that the various resources owned by the company or organization have been utilized as well as possible to get competitive opportunities and flexibility.In other words, IT governance leverages the principles that exist in the organization for IT units [7].

COBIT 2019
COBIT 2019 (Control Objective for Information and related Technology) is the most recent version of COBIT, created and published by ISACA, which contains guidelines on IT governance and corporate IT management following the needs of each company, in which there are 40 core objectives divided between governance and management referred to as the Cobit Core Model [8].There are five domains in the Cobit Core Model with two main principles: governance contains Evaluate Direct Monitor (EDM) domain, which purpose is to evaluate, direct, and monitor organizational strategies achievement.Meanwhile, management contains domains: Align Plan and Organize (APO), which purpose is to discuss all matters concerning the organization, strategies, and supporting activities for IT, and Build Acquire and Implementation (BAI), which purpose is to interpret, acquire, and implement IT solutions, also Deliver Service and Support (DSS), which purpose is to discuss operational matters, support for IT services and security, then lastly Evaluate and Assess Monitor (MEA), which purpose is to monitor the performance and match of IT with the internal control objectives, internal performance targets and external requirements.In each domain in COBIT 2019, there is a process in it called objective [9].

Figure 1 Research Methodology
We use the methodology provided by COBIT 2019, namely the 2019 COBIT Governance System Design Workflow [5].The steps are as follows:

Identification of Issues
In this stage, IT Governance was evaluated at the Bitung City Department of KOMINFO, where the results were not properly and well implemented, as well as infrastructure support which mostly still relies on internal sources that make the IT governance performance less optimal.

Literature Studies
This literature study stage is to review what parts of this study are needed, in this case, making or searching for what is needed to be used in the study and searching from several research sources related to similar cases that have been made.The development that has been made can help the group do this task so that it can be completed properly.

Understanding the Corporate Context and Strategy
In this stage, which uses the Governance System Design Workflow in COBIT 2019, a context determination is conducted to understand more clearly what the company will do to see what risks can be accepted.

Data Gathering for IT Governance System
IT Governance-related data gathered through interview with stakeholders which will contribute to the IT Governance System of COBIT 2019

Analyze results from the Design Factor
This stage is to analyze and determine the results from the ten design factors set by COBIT 2019.This process is done to identify an organization's required parts to see what is required in the company.The result will show which COBIT 2019 core models are acknowledged as priority and which are not.This measurement is shown as ability level.
COBIT 2019 defines four levels of ability that represent the level of capability maturity of an organization in terms of the effective implementation of governance and management practices.The four levels of ability are: • Level 1: Initial -Ad hoc and unstructured practices with no formalized processes in place.
• Level 2: Managed -Processes are established and managed, but they may not be welldocumented or consistently applied across the organization.• Level 3: Established -Processes are well-defined, documented, and consistently applied across the organization.• Level 4: Optimized -Processes are continually improved and optimized to achieve organizational goals and objectives.
These levels are designed to help organizations assess their current maturity level and identify areas where they need to improve their governance and management practices.By implementing the practices outlined in COBIT 2019, organizations can move up the levels of ability and improve their overall effectiveness in achieving their goals and objectives.

Concluding the Governance System Design
From each stage, this final stage will connect all the inputs and considerations from everything made at the previous stage until, finally, conclusions can be drawn from all the system's methods in governance.The conclusion of the managed part results in a system design that can be managed and adapted by the company system.

Corporate Strategy
Here is a graph from Design Factor 1 on the Importance of Each Enterprise Strategy Archetype For the main and second priorities value of the company strategy, in this case, the Bitung City Department of KOMINFO is the Client Service/Stability with importance 5 because the Bitung City Department of KOMINFO, which acts as a government agency, is more focused on public services to provide stable services to the people of Bitung City, therefore becomes their priority.While Cost Leadership with important 4 is the second priority because the Bitung City Department of KOMINFO, in addition to focusing on public services, also focuses on saving costs or utilizing existing budgets as effectively and efficiently as possible.Growth/Acquisition has an importance of 1 because it is different from companies that focus on Money Oriented.The Bitung City Department of KOMINFO focuses on the public services of the Bitung City community.Furthermore, finally, Innovation/Differentiation has importance 1, because the Bitung City Department of KOMINFO is more mobile in the field of followers or will only apply new technology when the technology is stable, different from innovators who implement a new thing without following other parties.

Target of the Company
According to COBIT 2019, the company target is divided into four perspectives: financial, customer, internal, and growth.The assessment of the targets of the government agency of the Bitung City Department of KOMINFO is as follows: The objective value of the Bitung City Department of KOMINFO in the financial perspective is for EG01 -Portfolio of competitive products and services is worth 3 because the Bitung City Department of KOMINFO is part of the government that focuses on community service, regarding products and services only focus so that the public can accept applications, EG02 -Managed business risk is worth 3 because there are no unmanaged risks because all risks must be resolved, EG03 -Compliance with external laws and regulations is worth 5 because compliance with the law is mandatory, especially in government agencies, EG04 -Quality of financial information is 5 because for openness about finance to the community this is very important to be done by government agencies such as the Bitung City Department of KOMINFO.
The goal value of the Bitung City Department of KOMINFO in the customer perspective is for EG05 -Customer-oriented service culture is worth 5 because the Bitung City Department of KOMINFO does focus on community services, EG06 -Business-service continuity and availability is worth 5 because this is very important for the Bitung City Department of KOMINFO, EG07 -Quality of management information is worth 5.After all, it is very important given the amount of data in the Bitung City Department of KOMINFO.
The goal value of the Bitung City Department of KOMINFO in the Internal perspective is EG08 -Optimization of internal business process functionality is worth 5 because the optimization, especially in the IT sector, is very important, EG09 -Optimization of business process costs is worth 4 because this year the cost issue is an important thing from previous years due to the procurement of servers and others to support the direction from the Mayor to make Bitung City Digital, EG10 -Staff skills, motivation, and productivity are worth 4 because this is important given that the Bitung City Department of KOMINFO focuses on community services, EG11 -Compliance with internal policies is worth 4 because for compliance, moreover, in the IT sector, it must comply with the regulations in the agency.
The value for the Bitung City Department of KOMINFO in the growth perspective is EG12 -Managed digital transformation programs worth 4 because digital transformation is the highest thing for the Bitung City Department of KOMINFO, and finally for EG13 -Product and business innovation worth 4 because this is important, especially for government agencies such as the Bitung City Department of KOMINFO.

Risk Profile
Design factor 3 is the next stage to identify the risks owned by the Bitung City Department of KOMINFO, North Sulawesi.The assessment conducted is based on the level of impact (impact) resulting from the risk, if the risk occurs with the level of impact assessment as follows: 1 = very low (very low), 2 = low (low), 3 = medium (medium), 4 = high (high), 5 = very high (very high).And to assess the level of risk occurrence, the risk likelihood assessment is used as follows: 1 = rare (1% -20% occur), 2 = unlikely (21% -40% occur).3 = possible (41% -60% occur), 4 = likely (61% -80% occur) and 5 = almost (81% -100% occur).The assessment of the risk profile of the government agency of the Department of Communication and Information Technology is as follows: In the risk scenario category, IT investment decision making, portfolio definition & maintenance at the Bitung City Department of KOMINFO has a risk rating of 10 with an impact of 5 for the smooth running of the company and the likelihood of this risk scenario is 2 because it has happened.Programs & projects life cycle management has a risk rating of 2 with an impact of 2 and a likelihood of 1 because KOMINFO still does not use I&T.IT cost & oversight at the Bitung City Department of KOMINFO has a risk rating of 15 with an impact of 5 and the likelihood of this risk scenario is 3, because an error in IT investment at the Bitung City Department of KOMINFO will affect the company's performance.IT expertise, skills & behavior has a risk rating of 20, with an impact of 5, and the likelihood of this risk scenario is 4 because, in the Bitung City Department of KOMINFO itself, there is a need for a division of work that does not only depend on one person.Enterprise/IT architecture has a risk rating of 25 with an impact of 5 and the likelihood of a risk scenario of 5 because if there is a failure in adopting and exploiting a new program, the Bitung City Department of KOMINFO cannot do anything and also suffer losses because it cannot use it.IT operational infrastructure incidents have a risk rating of 25 with an impact of 5, and the likelihood of this risk scenario is 5 because if there is accidental damage to IT equipment, IT staff errors in performing system maintenance, updating the system, and errors in entering information conducted by IT staff and other matters related to IT infrastructure, it will hinder the performance of the Bitung City Department of KOMINFO.Unauthorized actions have a risk rating of 10 with the impact of the risk scenario of 5, and the likelihood of this risk rating is 2 because of software damage or modifications and manipulation of software and data in the Bitung City Department of KOMINFO by the irresponsible party, it can make the performance of the Bitung City Department of KOMINFO messy or irregular.

Figure 4 Risk Profile Factor Design Assessment
Software adoption/use problems have a risk rating of 15 with an impact of 5, and the likelihood of this risk scenario is 3 because if the user does not use the software properly, then the objectives of the Bitung City Department of KOMINFO will not be achieved.Hardware incidents have a risk rating of 10 with an impact of 5, and the likelihood of this risk scenario is 2 because if in the Bitung City Department of KOMINFO there is a failure of the hardware used can stop all operations from the Bitung City Department of KOMINFO, but the possibility of happening is not too frequent.Software failures have a risk rating of 6 with an impact of 3, and the likelihood of this risk scenario is 2 because the Bitung City Department of KOMINFO will immediately replace the software with the backup they have.Logical attacks (hacking, malware, and others) have a risk rating of 25 with an impact of 5, and the likelihood of this risk scenario is 5 because cyberattacks can threaten confidential data important to KOMINFO and occur almost every day.
Third-party/supplier incidents have a risk rating of 1 with an impact of 1, and the likelihood of this risk scenario is 1 because the Bitung City Department of KOMINFO does not use cloud services and is not recommended to use cloud services.Non-compliance has a risk rating of 3 with an impact of 1 and a likelihood of risk scenario of 3 because the regulations made by the Bitung City Department of KOMINFO internal have been adjusted to the operation of the Bitung City Department of KOMINFO.Geopolitical issues have a risk rating of 4 with an impact of 4, and the likelihood of this risk scenario is 1 because, with the intervention of the government or national policy, it may not be following the policy of the Bitung City Department of KOMINFO.However, there is no possibility that this will happen yet.Industrial action has a risk rating of 5 with an impact of 5, and the likelihood of this risk scenario is 1 because if this scenario occurs at the Bitung City Department of KOMINFO, operational activities will be completely stopped.However, there is no possibility that this will happen yet.Acts of nature have a risk rating of 5 with an impact of 5, and the likelihood of this risk scenario is 1 because natural disasters can damage the important operating system of the Ministry of Communication and Information Technology, but this is rarely the case at the Bitung City Department of KOMINFO.
Technology-based innovation has a risk rating of 3 with an impact of 3, and the likelihood of this risk scenario is 1 because the Bitung City Department of KOMINFO does not have to update its technology to the latest has never happened at the Bitung City Department of KOMINFO.Environmental has a risk rating of 5 with an impact of 1 and a likelihood of risk scenario of 5 because the Bitung City Department of KOMINFO has prepared backup hardware or backup power to overcome this.Data and information management has a risk rating of 5 with an impact of 5, and the likelihood of this risk scenario is 1 because irresponsible parties can misuse sensitive data leaks in the Bitung City Department of KOMINFO.

Issues Related to Technology and Information
Here is a graph from Design Factor 4 on the Importance of Each Generic IT-Related Issue (Figure 5): For the first input of Design Factor 4 regarding the Company, there is an issue of dissatisfaction among various IT departments in the company because of a common sense of contribution to business value, which has importance 3, which is a serious issue.Furthermore, there is an issue of dissatisfaction between the Business department and the IT department because of a failed business or low Identification of IT Governance Capability Level of COBIT 2019 at The KOMINFO City of Bitung, North Sulawesi contribution to business value, which has importance 2, namely, there is an issue.Furthermore, in the company, there are issues regarding significant IT-related incidents, such as data loss, security breaches, project failures, application errors, and others, which have importance 2; namely, there are issues.Furthermore, in the company, there is an issue of service delivery problems by IT outsourcing, which has an importance of 1, i.e., there is no issue.Furthermore, there is an issue of failure to meet regulatory or contractual requirements related to IT, having importance 2; namely, there is an issue.
Furthermore, in the company, there is an issue with regular audit reports regarding the assessment of poor IT performance or reported problems, having importance 2; namely, there is an issue.Furthermore, in the company, there are hidden and fraudulent IT expenditures, such as IT expenditures in user departments that are out of control and not following the approved budget, having importance of 1, i.e., there are no issues.Furthermore, in the company, there are issues regarding overlap between existing ideas and the waste of resources; because of this, it has importance 3, which is a serious issue.Furthermore, there are issues regarding the insufficient IT resources or the lack of skills of existing IT employees, having importance 3, namely serious issues.Furthermore, in the company, there are issues regarding projects that support IT often failing to meet the company's business needs, or the project is often late and exceeds the specified budget, which has importance 1, which is no issue.Furthermore, there are issues regarding the lack of involvement of company executive members or senior management with IT, having importance of 1, i.e., there are no issues.Furthermore, in the company, there are issues regarding complex IT models, so it is unclear whether decisions related to IT have importance 2; namely, there are issues.Furthermore, there are issues regarding IT costs that are too high, having importance 2; namely, there are issues.Furthermore, in the company, there are issues regarding inhibition or failure of innovation caused by the current IT system architecture that is not supportive, has importance 3, which is a serious issue.Furthermore, in the company, there is an issue of the gap between business and IT, which causes business users and specialists in IT to have different communication and not understanding, having importance 2; namely, there is an issue.Furthermore, there are issues with data quality and integration in various sources, which have 3 serious issues.Furthermore, there are issues in the company regarding the lack of supervision and quality control of existing applications; in this case, applications being developed/used have an importance of 1, i.e., there are no issues.Furthermore, in the company, there are issues regarding business departments that apply their information with little or even no involvement from the IT department, which has 3 serious issues.Furthermore, in the company, there is an issue of ignorance and non-compliance with security and privacy regulations, which has importance 1, i.e., there is no issue.Furthermore, finally, in the company, there is an issue of inability to use/utilize new technology or innovate using Information & Technology (I&T), which has importance 2; namely, there is an issue.

Threat Landscape
In this Design Factor, there are 2 categories: high and normal.The Bitung City Department of KOMINFO has 0% at high and 100% at normal because the BitungCity Department of KOMINFO can prevent and control existing threats, so it operates at a normal threat level.Here is a graph from Design Factor 5 on the Importance of Threat Landscape (Figure 6):

Compliance Needs
Here is a graph from Design Factor 6 on the Importance of Compliance Requirements: In this Design Factor, there are 2 categories: high and normal.KOMINFO has a high of 100% because the Bitung City Department of KOMINFO, as a government agency, must follow the government's regulations.Therefore, the level of compliance from the Bitung City Department of KOMINFO is very high.

Role of Information Technology
Here is a graph from Design Factor 7 on the Importance of the Role of IT: This Design Factor has 4 categories of IT roles: support, factory, turnaround, and strategic.The Bitung City Department of KOMINFO has an important strategic role because it can help run and innovate in the process of providing information in addition to all matters related to IT that the Bitung City Department of KOMINFO handles.Meanwhile, the second category that plays an important role is the factory because when IT fails, it will directly impact the operational activities of the Bitung City Department of KOMINFO.

Information Technology Resource Model
Here is a graph from Design Factor 8 on the Importance of the Sourcing Model for IT: This Design Factor has 3 categories of IT resources: outsourcing, cloud, and insourced.The Bitung City Department of KOMINFO has an insourced of 100% by the Bitung City Department of KOMINFO does not use third parties as IT resources prefers to store its data to prevent important data from being leaked.

Information Technology Implementation Methods
Here is a graph from Design Factor 9 on the Importance of IT Implementation Methods: In this Design Factor, there are 3 categories of IT implementation methods: agile, DevOps, and traditional.The Bitung City Department of KOMINFO has an agile of 100% because the Bitung City Department of KOMINFO uses agile as a method for developing applications, and if errors occur, they can still be corrected or reworked.

Information Technology Adoption Strategy
Here is a graph from Design Factor 10 on the Importance of Technology Adoption Strategy:

Company size
This Design Factor aims to see the size of the company based on the number of employees working for the company or, in this case, a government agency, namely the Ministry of Communication and Information Technology (KOMINFO) of Bitung City.Concerning this Design Factor, data was obtained from the head of the IT Department staff related to the information of employees working at the Bitung City KOMINFO agency.The results of the ten Design Factors described above are in the form of a core model with a priority level and capabilities suggested by COBIT 2019.The target of information technology governance that gets a priority value of 75 or more will get an ability value of 4, which gets a priority value of 50 or more will get an ability value of 4. Those who get a priority value of 25 or more will get an ability value of 2, and those who get a priority value of 25 or less will get an ability value of 1.
The Figure 12 and Table 2 shows the result of the Design Factor of information technology governance that have been obtained.

Conclusions
After conducting the research, the governance system design for the Government Agency Department of the Ministry of Communication and Information Technology of Bitung City has been obtained.Twenty-four core models are recommended to have an ability level of 1, including EDM01, EDM02, EDM03, EDM04, EDM05, APO01, APO02, APO03, APO04, APO05, APO06, APO07, APO09, APO10, APO11, APO14, BAI04, BAI08, BAI11, DSS06, MEA01, MEA02, MEA03, and MEA04.11 core models are recommended to have an ability level of 2 including APO08, APO12, APO13, BAI01, BAI07, BAI09, BAI10, DSS01, DSS02, DSS03, and DSS04.3 core models are recommended to have an ability level of 3, including BAI05, BAI05, and DSS05. 2 core models are recommended to have an ability level of 4, namely BAI02 and BAI03.This research was only until designing the governance system, and the evaluation process was not conducted on the process or core model in COBIT 2019.
The ability levels assigned to each core model are intended to reflect the maturity level of the processes associated with each model.The 24 core models recommended to have an ability level of 1 are likely to represent the basic foundational processes that should be established before moving up to higher levels of maturity.The 11 core models recommended to have an ability level of 2 are likely to represent processes that have been established and are being managed but may still require further improvement.The 3 core models recommended to have an ability level of 3 are likely to represent processes that are well-defined, documented, and consistently applied across the organization.Finally, the 2 core models recommended to have an ability level of 4 are likely to represent processes that are continually being improved and optimized to achieve organizational goals and objectives.It is important to note that the evaluation process was only conducted on the design of the governance system and not on the individual processes or core models, which may require further evaluation to determine their actual ability levels.

Figure 2
Figure 2 Assessment of Corporate Strategy Design Factor

Figure 3
Figure 3 Assessment of Design Factor for Corporate Purpose of competitive products and services EG02-Managed business risk EG03-Compliance with external laws and regulations EG04-Quality of financial information EG05-Customer-oriented service culture EG06-Business-service continuity and availability EG07-Quality of management information EG08-Optimization of internal business process functionality EG09-Optimization of business process costs EG10-Staff skills, motivation and productivity EG11-Compliance with internal policies EG12-Managed digital transformation programs EG13-Product and business innovation Design Factor 2 Enterprise Goals (Input)

Figure 5
Figure 5 Assessment of Design Factor Problems Related to Technology and Information

Figure 6
Figure 6 Threat Landscape Factor Design Assessment

Figure 7
Figure 7 Design Factor Assessment of Compliance Needs

Figure 8
Figure 8 Assessment of Design Factor Role of Information Technology

Design Factor 7 Figure 9
Figure 9 Assessment of Design Factor Information Technology Source Model

Figure 10
Figure 10 Assessment of Design Factor Information Technology Implementation Model

Figure 11
Figure 11 Assessment of Design Factor for Information Technology Adoption StrategyIn this Design Factor, there are 3 strategies to adopt new technologies: first mover, follower, and slow adopter.The Bitung City Department of KOMINFO has a follower of 90% because the Bitung City Department of KOMINFO focuses on companies with technology that is easy to use and widely used.When the technology has stabilized, the Bitung City Department of KOMINFO will implement the new technology.The latter is as slow as 10% because of existing regulations or regulations.The Bitung City Department of KOMINFO is sometimes late in adopting new technology.

Table 1
Design Factor 11 (Enterprise Size)Based on the results of the data obtained conducted with the head of the IT Department staff that the agency of the Ministry of Communication and Information Technology (KOMINFO) of Bitung City has a company with several 50 to 250 employees, including approximately 30 Heads of Office, Civil servants, up to the Freelance Daily Worker (THL).Thus, Table4.11shows companies of the Small & Medium type

4.12 Results of Information Technology Governance Design Figure 12
Results of Information Technology Governance Design

Table 2
Results of IT Governance Capability