Analyzing COBIT 5 IT Audit Framework Implementation using AHP Methodology

— COBIT has been known as the best practice standard in IT Governance, both in management or evaluated of the IT utilization. The role of IT Audit framework to evaluate the benefits of Information Technology in an enterprise either its gain benefits or fail in order to achieved the business objective. In Indonesia, most organization has been implemented the IT as their main support of process business, and deliberately conduct the evaluation of the implementation used some IT Audit framework such as ITIL, TOGAF, COBIT and other Government rule. Those frameworks have been known as an IT governance framework, most of organizations are choosing COBIT and ITIL due to the internal control issues. Therefore, this research will be focus on COBIT 5 utilization as an IT audit frameworks, a comparison also will be done between the COBIT 5 and ITIL. The comprehensive parameters in COBIT 5 which provides 5 category processes in two domain, management and control will be the variables of prioritizing process among them for each object. This paper will analyze the use of those parameters for some selected organization and prioritize them using the Analytical Hierarchy Process (AHP) methodology that will lead to create a new model of IT Audit frameworks based on the user requirement and opinion. the analyzing process the implementation of COBIT 5 framework in some organizations, and priorities the preferred attributes of COBIT 5 that very likely and suitable to the culture and needs of user in Indonesia using AHP Methodology, and create the best qualified model of IT Audit that fit with the requirements of the organizations especially for Indonesia organizations and companies


I. INTRODUCTION
Since year 2000 the Information Technology (IT) has been main support of business in every sectors such as educations, finances, government agencies, and many others in Indonesia.Indeed, this paradigm has encouraged by The Government through declare a policy regardless to enhanced the governments service delivery by using the IT as the backbone infrastructure, and it was also support by President's Statements NO. 3 year 2003 as the legacy regulation of the IT implementation in achieving the government objective's.
Due to the necessity of organization in achieve their objective, it should be based how successful the IT alignment on organization process business.(Sarno, 2009).state that to achieve the preferred goals, it is should be a regularly and consistently audit of IT process [1].Therefore, related to discovery how good the implementation of IT in the organization should be an Audit process which can be established as internal or external audit.The Audit process could be the best way to assure that the initiate process using IT will be consistence with the IT Governance that had been declared.
Audit can be described as a systematic process that conducted objectively by a competence and independently agent, which will be gathered evidence and testing its according to the guidance.Rules or frameworks.The objective of this audit process is giving the best description of the occur condition of the enterprises and report it's based on regardless to defined standards (ISACA, CISA 2006).[2] IT Audit objective is to evaluate and assure that IT processes that had been conducted in the organization based on the implemented standard operating procedure that use to maintain and monitoring those processes.[3].IT Audit processes was more focus to the optimization of IT utilization including the whole infrastructure that will support organization to achieve their goal.
IT Audit activities was focus on process that has higher risk and valuable assets in enterprises business sustainable.Therefore, this audit process investigate the internal control establishment due to the occurrence processes.Generally, the assessment of this internal control related to reduce the possibility risks that could affect the business and the IT Audit processes conduct based on the best practice or standard or framework for IT Audit.The best practice of IT Audit standards or frameworks, such as ITIL, ITGI, ISO and COBIT.[4] In this paper, researcher focus on COBIT frameworks, especially COBIT 5 frameworks which is based on preliminary study about IT Audit frameworks implementation.The respondents have been chosen several organization based on South Sumatera Province, Indonesia.In conducting the preliminary study using methodology survey, finalized researcher defined 40 organizations as respondent which has implemented COBIT 5 framework as best practice to conducted internal control in their organizations.
Basically, COBIT 5 has provide a comprehensive guidance for assessment processes which is structured, but in most implementation not the whole assessment procedures and attributes has been used optimally, this due to the condition and requirement of organizations [5].Therefore in this paper, for selecting the best optimal and useablity criterion of COBIT 5 framework we using AHP methodology .the AHP methodology has been used as the best solution for solving problems that consists of a complex and hirachical structured criterias and alternatives.[6]

A. IT AUDIT
The use of Information Technology (IT) today has become increasing so fast, either both in function and high technology that support it.As for organization in Indonesia, the ICT investment has become increase boost as the Ministry of Communication and Information Technology state that for strategic planning of ICT investment the national fund will be reach around 2.8 BillionUS$ (Detiknas,2014) [7].Now, due to the rapid ICT demand especially for internet infrasturcture, I believe it will cost more for the Government agencies.Huang (2009) states that organizations using IT need to do for IT Governance in order to gain the maximum benefit.[8] IT governance can be describe as the management of software and hardware are expected to develop and improve the profitability of information system and contribute long-term benefit for the organization The IT utilization not only has to be manage, but also need to control in term management IT Governance.Managed IT is a requirement to increase control over information assets.Value IT is a key element of administrative business process supporting the implementation of IT Governance.The management and control on IT Governance also need to be evaluate.Consequently, the necessity of IT Audit was requiring.IT Audit is a process that collecting evidence to base on best practice framework that will assure the integrity of information that result, the security of asset in IT infrastructure due to support an organization activities to achieve their business goal by using resource effectively (Weber , 2000).[9] The objective of IT Audit as mention before is to gained the enhancement of asset security, maintain data integrity, system effectiveness and efficiency related to the utilization IT and its infrastructure within organizations.Nugroho (2010) has conducting research related to the organizational culture of acceptance and use of IT in organization using the culture approahment with COBIT 5 framework as the best practice to design an IT Governance model [10].This research choosed Indonesia organization of non government as an object.Measwhile in this research, we also use COBIT 5 framework with objective to create an IT audit framework, and the object will be both from non and a government agency.This is also encourage by research of Woong Chul Choi and Dae Houn Yoo (2009), they research was establish an assessment of IT governances using the COBIT framework to prioritize IT investment in the organizations [11].Based on those research result, to developed an IT Audit model that can be used to assess the optimization of IT Governance in supporting the organizations to achieve their goal.Since the research will be based on Indonesia organization, the variety culture and geographical aspects also affect the utilization of COBIT 5 framework in audit process

B. COBIT Frameworks
Control Objectives for Information and related Technology (COBIT) version 5 has release on 2012.It was developed as a standard model of IT management by IT Governance Institute from ISACA.Its state that this framework has been develop to meet the organization requirements on management the IT processes align with stakeholder need.This framework contains new ideas compared to previous versions.COBIT 5 principles which is use to bees practice in management of IT [12] Figure 1.COBIT 5 Principles Source http:\\isaca.org\cobit

Principle 1
Emphasizes on goal cascade and value creation among different stakeholders who mane expects different IT value.Principle 2 Exhibits that COBIT does not limit to IT department but it covers entire enterprise.COBIT5 includes guide for integrations to corporate governance for value creation by specifying roles, activities and relationships.Principle 3 Indicates that COBIT aims to be the umbrella framework.COBIT provides an integration guideline to use with other frameworks.

Principle 4 Shows how ITG components relates and provide a set of critical success factors (which know as enablers).
Principle 5 Shows that COBIT 5 clearly separate governance and management.
From operational aspect, COBIT 5 provides 37 processes in two domains.The governance domains contain five processes while management domains contain 32 processes.These processes are provided as a guideline to practitioners.Below figure show the key governance and management areas of COBIT 5 processes.
Some research has been done using COBIT 5 framework as the best practices whit vary objectives and outcomes.Akbar Khrisna (2014) using COBIT5 framework collaborate with Risk Management framework to develop a risk management framework for Cloud Computing [13].The integration of these framework was to create a comprehensive framework that can help organization or companies to create optimal values from the usage of cloud computing.
The result of the integration as shown on Figure… and it consist of two main phases, which are risk governance and risk management.the whole processes in risk governance phase are adapted from COBIT 5framework, as you can see in Table XV, all the process inside risk governance phase along with their perspective outputs.Based on this research, COBIT 5 framework to be the umbrella frameworks and conduct the survey of the implementation using the framework in term of IT Audit or assessment of organization IT Governance.
Another research was objective to compare COBIT framework with other IT Governance frameworks, Ramloul and Semma (2014) conducted a benchmarking of the standard frameworks in marketplace which is one of important approaches for selecting appropriate standard frameworks used for IT Governance in order to investigate complementary and intersection that related to facilitate the implementation.This research selects IT Governance frameworks such as ITIL, COBIT, CMMI, PMBOK, TOGAF, ISO/ICE involved IT which are provide guidance and tools for better IT governance.[14] The result of this research was mapping the features among those framework, as can be seen in below table/… which shown mapping between COBIT and PMBOOK.Its conduct the mapping between COBIT and TOGAF.Based on this research, the popular frameworks for the IT Governance have been introduced and evaluated based on the EDM, APO, BAI, DSS and MEA parameters (The important parameter of COBIT 5. Overall this research which very useful to the author, by using the output of mapping which is COBIT, with ITIL and TOGAF.Therefore, based on this outcome, the author conducted research with aim to develop an IT Audit frameworks or assessment process using parameter agility, culture and environment, for organization which are located in Indonesia

III. ANALYTIC HIERARCHY METHODOLOGY
The Analytic Hierarchy Process (AHP) developd by Saaty.T (1980) which had been known as an effective tool for dealing with complex decision making, and may aid the decision maker to set priorities and make the best decision.
[15] By reducing complex decision to a series of pairwise comparisons and then synthesizing the results, the AHP helps to capture both subjective and objective aspects of a decision.In addition, the AHP incorporates a useful technique for checking the consistency of the decision maker's evaluation, thus reducing the bias in the decisionmaking process.
The AHP considers a set of evaluation criteria, and set of alternative option among which the best decision is to be made.It is important to note that especially deal with the selection and prioritizing process on COBIT 5 framework component's, which some of criteria could be contrasting in this research The AHP could help to proven that among all criteria and alternatives, are not the best option which optimize criteria than the one which achieves the most suitable with the user needs.
The AHP works by generates weight for each evaluation criterion according to the decision maker's pairwise comparison of the criteria.The values of the pairwise comparison in the AHP are determined according to the scale introduced by Saaty(1980) which know as Saaty Rating Scale[18] , as you can see in table 10, the higher the score will be indicate the more important of the criteria's.One of stage of this research is to prioritize the criteria of COBIT 5 using rating scale on user opinion (respondents).The prioritizing process will be determined which one the better performance of each criterion.Finally, the AHP combines the criteria weights and the option scores, thus determining a global score for each option, and a consequent ranking.The global score for a given option is a weighted sum of the scores it obtained with respect to all the criteria.The AHP methodology requires several stages [15] which are 1.Defining the problem 2. Structuring the problem 3. Evaluation 4. Incorporating uncertainty into the decision making process Those stages will be apply in this research, which will support the decision without changing the proposed alternatives that have been provide by COBIT 5. Tho achieve this, a sensitivity analysis is performed in which different scenarios are considered, determining the cut-off points to the weight of each criterion.
Several option of AHP software are available , which are very helpfull to do the prioritezing prosess.In this research, we use Super Decision tools, which has developed to help in weghting the criterion, especially for our reseaerch the pairwaise comparison will be done for about 37 IT process, 17 IT related goals and 17 Enterprise goals.This software very provide the features that assist the researcher to do pairwase comparison among those criterias, furthermore, its also generates the others mathematical fucntion such as the consistency ratio (CR), normalization and ratings of each criterion.
Therefore the application of the AHP method followed by using the Super Decions tools is to find the best model of IT audit that besed on user perspective and necesity, especiall for Indonesia organization's.
IV. RESEARCH QUESTION COBIT 5 with the whole parameter, and domains has been known as an IT Governance frameworks, which use to control and manage the IT management in organizations.Therefore, the author realizes how about the implementation of COBIT 5 as an IT Audit frameworks?How all the parameter utilization role in IT Audit process?does the COBIT 5 utilization has been optimized, especially for organization and companies in Indonesia.
The research methodology used is mixed methods.Tehcniques of data collecting conducted are survey resaerch, field research and literature review.Surveys were conducted by using quistionnaires to obtaiin quantitatvie data .while the field research carried out by using in-dept interviewes and observation.Surveys and interviews conducted on key rspondent/informatns that are supposed to represent gorups of related problem.Secondary data collections techniques performed through literature review based on literature and electronic journals.Thirdly, due to evaluted and choose the best components for the new IT Audit model, this research uesing AHP methodology to do teha the priority process.This process also backup with tools based for AHP methodlogy which is Super Decsion software.Table 2 is shown the questionaire list that had been used for the pleminary study of COBIT 5 implementatio.At begining ww have sent the quistionaire to 100 organizations or company that based in Palembang city, South Sumatera Province, Indonesia.Its tooks quite to get respond from them, and choose 40 respondent organization, as shown at Figure .3On Figure 4, it described how is the exist condition of IT utilizationa of each organization , those condition based on observation and assesment process in early stage.The Figure 5, describe which framework that had been appy as the IT governance best practice of those organizations.

Figure 5. IT Governance Framework Utilization
As figure 6 show the framework that had been use as IT Audit framework on respondent organizations.Based on this result, we choose COBIT 5 as the selected frameworks to be analyzing.

Figure 6. IT Audit Frameworks
Based on the survey result, it seem that the organization which has implemented IT as their main support for process business, has implemented IT Governance frameworks, and the IT audit framework in paralelize.Those result indicates that the awarness of organization on IT management and control both internally or externally has increase and fixed.

VI. PRIORITIZING PROCESS WITH AHP METHODOLOGY
In this stages the general objective of the decision must be clerly defined, togeher with the actors involved and the means necessary to achieve it.1.The objective: to prioritise the atributs of COBIT 5 which consist of IT Proces, IT related goal and Entreprise goal in order to gain a new model of IT Audit more effective and efficiently.
2. Definition of actors: the participants involved in the decision making process.In this research there are 40 respondents that had been selected to give their opinion of the implementation of COBIT 5 framework at their organization.Those usehas been using COBIT 5 as an IT Audit framework , thefore they posses experience and knowledge in IT infrastrucure and others that related.
Figure 7 show how hierarki of the prioritise process , this process will be support Software Super Decision from Creative Decision.Based upn AHP method was used to simplify the calculation procedure.In this research the AHP methodology had implemented in 3 steps which are: 1. Defining the problem The COBIT 5 framework was a standard and best practice was develop by ITGovernance Institute.Indeed this framework has comprehensivlt all standard and procedure relted to IT infrastructure and management.COBIT 5 consist of 37 IT Process, 17 IT related goals and 17 Entreprise goals from bottom to top level (see figure 7) Those comprehensive can be value as advantages , but also can be opposite.Regarding to the user and the organizations using it.The mapping process among criteriaas and also make decison to choose the right attributes based on the matrics, should done carefully, and it also takes time.
Therefore the objective of this research is to gain a new m odel of IT audit generated from COBIT 5 framework that more effective and efficieny.After al this objective could support the optimalization of COBIT 5 itself.

Computing the vector of criteria weights
In order to compute the weights for the different criteria, the AHP start creating a pairwise comparison matrix.This matrix is a mxm real matrix, where m is the number of evaluatioan criteria considered.The relative impotance between two criteria is measured according to a numerical scale from 1 to 9, as shown in Table 1, where it is assumed that the j th criterion is equally or more important than k th criterions.The phrases of "Definition" on Table 1 are only suggestive and may be used to translate the decision maker's qualitative evaluations of the relative importance between two criteria into numbers.It is also possible to assign intermediate values which do not correspond to a precise interpretation.The values in this matrix are by cosntructions pairwise consistent.However thanks to Super Decisionsoftware, so all the compatation and pairwise comparison process seem not so difficult, but indeed need more attention.As in Figure 8, is the hierarchy model of IT Related goal and IT Process, the mapping relation ship amongs criterions was based the mapping process on COBIT 5 framework.After the model had create, the next process was the pairwise comparison, researcher could said that this the difficult and very take time process of this research.Lucky, the Super Decision very helpfull, despite some other process was still need to do manually.
Figure 9,10,11 show the pairwaise processes.From this features we could get a matrix of the criterions, the normalized, inconsistency and the priority weigth of each criterion.Although we still have to copy the result into Microsoft Excel, to do the next computation.

Pairwise Comparison Process
As the pairwasi comparison done, and we got the result of each criterion the matrices, and priorities weight, then we copy into excel, this is the disadvantage of Super Decision Software, because it has no features that possible to import the data into excel, so we have to do it manually.The problems its that some datas are in decimal forms should be retype again, because we could not use the data directly for mathematic computing.This stage are ingoing procesess, with number of criterions and pairwise comparison against the respondents that we have to do carefully, so it could take time.But we menaged to present the sample of priority wieght of those criterion which you can see on figure 12, 13 and 14.This result it was an output from Super Decion Software, after we re-process its again using Microsoft Excel.This tables are represent sample of the average of the COBIT 5 prioritize criterions.Because we have 17 criterrion of IT Related goals compaired with 17 Enterprise goals and 37 IT Proceses from 40 respondents.The process still ingoing in order to validated the result data and get the precise result for this research.

CONCLUSION AND DISCUSSION
The process of implementing AHP methodology for selecting the criterion of COBIT 5 utilizations it is possilble to definite the best model of IT Audit framework based on user opinion regadless the necesity and culture factor.This decision making process might be based on imperfect information, but the AHP methodology has transformed those kind of information into a quantitave criterion that should be enough to be considered as the best result.The Super Decision software that use to support the AHP methodology has support partially the process.While using it, we have found several weaknesses of this software, such as the format data that cannot adjustment into number type into excell.Another research would be need to develop a better to this software.Meanwhile, we still focus on the next step of our objective that create the best model of IT audit framework for organizations.

Figure 2 .
Figure 2. Research Framework V. RESULT AND DISCUSSIONThe collecting data through survey has been organized using the excel microsoft word.Tables belows will shown the result of the survey.

Figure 4 .
Figure 4.The propotional og IT utilization on respondents

Figure 7 .
Figure 7. Prioritizing Process Based on figured 16, thenusing the Super Decision Software we construct the hierarchi model for the criterions based on the COBIT 5 framework.In this researc , we constructed the criterion of COBIT 5

Figure 9 .
Figure 9. Model hierarchy IT Related goals and IT Processes

Figure 10 .
Figure 10.Pairwise Comparison process for criterion Enterprise Goal and IT related Goals

Figure 11 .
Figure 11.Pairwise Comparison process for criterion IT Procesess 4. Analyizing the priority weight processThis stage are ingoing procesess, with number of criterions and pairwise comparison against the respondents that we have to do carefully, so it could take time.But we menaged to present the sample of priority wieght of those criterion which you can see on figure12, 13 and 14.This result it was an output from Super Decion Software, after we re-process its again using Microsoft Excel.This tables are represent sample of the average of the COBIT 5 prioritize criterions.Because we have 17 criterrion of IT Related goals compaired with 17 Enterprise goals and 37 IT Proceses from 40 respondents.The process still ingoing in order to validated the result data and get the precise result for this research.