Developing Compliant Audit Information System for Information Security Index: A Study on Enhancing Institutional and Organizational Audits using Web-based Technology and ISO 25010:2011 Total Quality of Use Evaluation

Wahyu Prabowo - Institut Teknologi Telkom Purwokerto, Purwokerto, 53147, Indonesia

Citation Format:



This study aimed to develop the KAMI 4.1 Index system application based on web application technology to provide a platform for controlled audit implementation and improve data management. The primary goals were to independently assess organizations' ability to obtain ISO 27001:2013 and enhance the audit process's effectiveness and efficiency. The research utilized web application technologies as materials. It employed a systematic approach, focusing on developing a web-based application using the waterfall model's stages of communication, planning, modeling, construction, and deployment. The resulting KAMI 4.1 Index system application introduced a new and efficient platform for controlled audit implementation, featuring an improved user experience and enhanced ease of use by incorporating existing audit calculations from the KAMI 4.1 index. Evaluation based on the ISO 25010:2011 quality of use model yielded a high total quality of use rate of 81.45%, indicating a "very good" categorization. However, areas requiring further research and improvement were identified, including data security, content coverage, freedom from risk, and error tracking. The study also suggested exploring integration possibilities of the audit system with other ISO audit needs, such as a quality assurance system complying with ISO 9001. Further research is necessary to gather information about user criteria and needs in different organizational contexts, ensuring the audit application system meets their requirements. Overall, this research contributes to developing the KAMI 4.1 Index system application and highlights directions for further enhancement and exploration in controlled audit implementation and data management.


audit; security; ISO 27001; ISO 25010

Full Text:



C. Y. Jeong, S. Y. T. Lee, and J. H. Lim, “Information security breaches and IT security investments: Impacts on competitors,” Information and Management, vol. 56, no. 5, pp. 681–695, 2019, doi: 10.1016/

B. Arora and Z. Rahman, “Information technology investment strategies: a review and synthesis of the literature,” Technol Anal Strateg Manag, vol. 28, no. 9, pp. 1073–1094, 2016, doi: 10.1080/09537325.2016.1181742.

G. Uuganbayar, A. Yautsiukhin, F. Martinelli, and F. Massacci, “Optimisation of cyber insurance coverage with a selection of cost-effective security controls.” Comput Secur, vol. 101, p. 102121, 2021, doi: 10.1016/j.cose.2020.102121.

B. Zhu and S. Wang, “Does Information Technology Capability Affect Internal Control Disclosure? Evidence from China,” in 2018 15th International Conference on Service Systems and Service Management, ICSSSM 2018, 2018. doi: 10.1109/ICSSSM.2018.8465045.

T. Wang, Y. Wang, and A. McLeod, “Do health information technology investments impact hospital financial performance and productivity?,” International Journal of Accounting Information Systems, vol. 28, pp. 1–13, 2018, doi: 10.1016/j.accinf.2017.12.002.

S. Héroux and A. Fortin, “The internal audit function in information technology governance: A holistic perspective,” Journal of Information Systems, vol. 27, no. 1, pp. 189–217, 2013, doi: 10.2308/isys-50331.

A. Sanusi Fasilat and H. Hassan, “Evaluation of information technology impact on effective internal control in the University system,” in AIP Conference Proceedings, 2015. doi: 10.1063/1.4937086.

K. Tworek, “Reliability of information systems in organization in the context of banking sector: Empirical study from Poland,” Cogent Business and Management, vol. 5, no. 1, pp. 1–13, 2018, doi: 10.1080/23311975.2018.1522752.

J. Peinado, A. R. Graeml, and F. Vianna, “Operations management body of knowledge and its relevance to manufacturing and service organizations,” Revista de Gestão, vol. 25, no. 4, pp. 373–389, 2018, doi: 10.1108/rege-03-2018-0049.

M. Tarek, E. K. A. Mohamed, M. M. Hussain, and M. A. K. Basuony, “The implication of information technology on the audit profession in developing country,” International Journal of Accounting & Information Management, vol. 25, no. 2, pp. 237–255, 2017, doi: 10.1108/ijaim-03-2016-0022.

P. J. Steinbart, R. L. Raschke, G. Gal, and W. N. Dilla, “The relationship between internal audit and information security: An exploratory investigation,” International Journal of Accounting Information Systems, vol. 13, no. 3, pp. 228–243, 2012, doi: 10.1016/j.accinf.2012.06.007.

S. Tangprasert, “A Study of Information Technology Risk Management of Government and Business Organizations in Thailand using COSO-ERM based on the COBIT 5 Framework,” J Appl Sci (Thailand), vol. 19, no. 1, pp. 13–24, 2020, doi: 10.14416/j.appsci.2020.01.002.

J. Jang-Jaccard and S. Nepal, “A survey of emerging threats in cybersecurity,” in Journal of Computer and System Sciences, 2014, pp. 973–993. doi: 10.1016/j.jcss.2014.02.005.

D. Young, J. Lopez, M. Rice, B. Ramsey, and R. McTasney, “A framework for incorporating insurance in critical infrastructure cyber risk strategies,” International Journal of Critical Infrastructure Protection, vol. 14, pp. 43–57, 2016, doi: 10.1016/j.ijcip.2016.04.001.

M. Eling and J. Wirfs, “What are the actual costs of cyber risk events?,” Eur J Oper Res, vol. 272, no. 3, pp. 1109–1119, 2019, doi: 10.1016/j.ejor.2018.07.021.

S. S. Wang, “Integrated framework for information security investment and cyber insurance,” Pacific Basin Finance Journal, vol. 57, no. February, p. 101173, 2019, doi: 10.1016/j.pacfin.2019.101173.

M. Kanatov, L. Atymtayeva, and B. Yagaliyeva, “Expert systems for information security management and audit. Implementation phase issues,” in 2014 Joint 7th International Conference on Soft Computing and Intelligent Systems, SCIS 2014 and 15th International Symposium on Advanced Intelligent Systems, ISIS 2014, 2014, pp. 896–900. doi: 10.1109/SCIS-ISIS.2014.7044702.

R. E. Davis, IT Auditing: An Adaptive System. 2013.

M. Mustapha and S. Jin Lai, “Information Technology in Audit Processes: An Empirical Evidence from Malaysian Audit Firms,” International Review of Management and Marketing, vol. 7, no. 2, p. 53, 2017, [Online]. Available:

B. Christensen, “Arriving at internal audit’s tipping point amid business transformation,” Edpacs, vol. 54, no. 1, pp. 15–16, 2016, doi: 10.1080/07366981.2016.1195674.

A. M. Rose, J. M. Rose, K. A. Sanderson, and J. C. Thibodeau, “When should audit firms introduce analyses of big data into the audit process?,” Journal of Information Systems, vol. 31, no. 3, pp. 81–99, 2017, doi: 10.2308/isys-51837.

R. E. Davis, “Relationship between Corporate Governance and Information Security Governance Effectiveness in United States Corporation,” p. 223, 2017, [Online]. Available:

James A. Hall, Information Technology Auditing and Assurance. 2011.

BSSN, “Konsultasi dan Assessment Indeks KAMI.” Accessed: Apr. 30, 2021. [Online]. Available:

B. H. dan H. M. – B. Komunikasi Publik, “Konsultasi dan Assessment Indeks KAMI.” [Online]. Available:

O. Ovchinnikova and M. Grebneva, “Methodology for Evaluating the Enterprise’s Internal Control System,” Auditor, vol. 6, no. 5, pp. 3–7, 2020, doi: 10.12737/1998-0701-2020-3-7.

L. Che, X. Yang, and F. Jiang, “Application and research on business intelligence in audit business,” in MATEC Web of Conferences, 2017. doi: 10.1051/matecconf/201710005001.

Protiviti, “Arriving at Internal Audit’s Tipping Point Amid Business Transformation: Assessing the Results of the 2016 Internal Audit Capabilities and Needs Survey – and a Look at Key Trends over the Past Decade,” 2016.

J. M. S. França and M. S. Soares, “SOAQM: Quality model for SOA applications based on ISO 25010,” in ICEIS 2015 - 17th International Conference on Enterprise Information Systems, Proceedings, SciTePress, 2015, pp. 60–70. doi: 10.5220/0005369100600070.

International Organization For Standardization Iso, “Iso/Iec 25010:2011,” Software Process: Improvement and Practice, vol. 2, no. Resolution 937, pp. 1–25, 2011, [Online]. Available:

B. Peischl, M. Ferk, and A. Holzinger, “Integrating user-centred design in an early stage of mobile medical application prototyping a case study on data acquistion in health organisations,” in ICETE 2013 - 10th Int. Joint Conf. on E-Business and Telecommunications; 4th Int. Conf. DCNET 2013, - 10th Int. Conf. on ICE-B 2013 and OPTICS 2013 - 4th Int. Conf. on Optical Communication Systems, 2013. doi: 10.5220/0004493901850195.

A. Holzinger and W. Slany, “XP + UE → XU praktische erfahrungen mit eXtreme usability,” Informatik-Spektrum, vol. 29, no. 2. 2006. doi: 10.1007/s00287-006-0060-5.

K. Petersen, C. Wohlin, and D. Baca, “The waterfall model in large-scale development,” in Lecture Notes in Business Information Processing, 2009. doi: 10.1007/978-3-642-02152-7_29.

N. Bin Saif, M. Almohawes, and N. S. Mohd Jamail, “The impact of user involvement in software development process,” Indonesian Journal of Electrical Engineering and Computer Science, vol. 21, no. 1, 2021, doi: 10.11591/ijeecs.v21.i1.pp354-359.

M. Scriven, “The Checklist Imperative,” New Dir Eval, vol. 2019, no. 163, pp. 49–60, 2019, doi: 10.1002/ev.20374.

B. Waseso and R. S. Wahono, “Pengukuran Maturitas Pengembangan Perangkat Lunak Melalui Pendekatan Integrasi Capability Maturity Model Integration dan Six Sigma,” Jurnal Informatika dan Komputasi, vol. 11, 2010, [Online]. Available:

S. Arikunto, Prosedur Penelitian : Suatu Pendekatan Praktik (Edisi Revisi). 2012.