INFORMATION TECHNOLOGY AUDIT AT XYZ AGENCY, A GOVERNMENT INSTITUTION, USING COBIT 5 FRAMEWORK IN DOMAIN DELIVERY, SERVICE AND SUPPORT

— Technology has become an important component used by humans to facilitate them in finishing work in this digital era. XYZ institution utilizes technology, especially in the field of e-government to help each employee in doing their duties and responsibilities. In carrying out the responsibility as a government agency especially that is involving or related to the field of information technology may sometimes encounter problem. To find out the extent of information technology management in the XYZ institution, an audit is required. An audit, in the form of COBIT 5 framework within the DSS Domain, was carried out to oversee the work as well as infrastructure management within the information technology area in the XYZ institution. The result of the audit conclude that the within the DSS domain the organization reached level 2 which means task are being done but not yet managed by the organization. There are rooms for improvement by establishing the process through standard operation procedures (SOP).


INTRODUCTION
The utilization of technology has become the big thing, and it is often used in this modern life, plays a substantial role to help the organization not only from business sector but also from government agencies, in carrying out any work activity that is increasingly concentrated. Technology has run a significant component that is used by humans to ease resolution of problems is also advocate by the information [1]. In this case, the grade of effectiveness at information can be seen from the preciseness, timely, and relevance. Meaning of information technology itself is the design, execution, and growth by utilizing computer media head to upgrade the grade of information owned [2].
Organization XYZ, a government institution that prefer not to be named, utilizes information technology helping work of the office staff, particularly in the range of information technology. Organization XYZ has more than ten staffs that are proficient in controlling every hardware and software used, with the aim of keeping the performance of each existing computer component. In undertake the responsibility, the organization has a mission, one of which creates a reasonable system that is the system of e-government in the coverage of the environmental community and integration by running governance that had grade, so everybody able to access trusted information [1]. To gauge whether each component or device used is in accord with the applicable standards and regulations, so we as researchers assess the information technology used, or activities that are better known as audit. Audits are carried out to superintend as well as control the infrastructure of devices in the IT sector in the XYZ institution, degrade the matter that often come in the organization concerning the governance that is less good. The purpose of this audit itself is to execute a more efficient and grade governance [3].
The case study that we prefer to be investigated, namely the government organization in which the organization has a duty to administer a system that processes the data and information. They set up a data center to integrate all the information and data of regional work units as well as providing information services to the community that can be trusted by everyone. The institution itself was formed due to the presence of the legal basis of Law number 36 the year 1999 telecommunications and the Law of 2004 on the regional growth planning system.
As time went by, in performing the job as a government agency, the XYZ institution, particularly in the field of information technology, have their own technical and implementation issue. According to the staff they have not done any evaluation on their information and technology system within the office. This is the reason the researchers desire to administer an audit activities to discover how reliable and useful are the use of technology on the institution has been.
One of the most popular IT audit framework is COBIT (Control Objective for Information and Related Technology) which is developed by ISACA in 1996. COBIT provides a framework as a reference to decide the extent to which security standards as well as the accomplishment of information technology governance.
With COBIT, from the result produced, we can have the management to take decisions to regarding problems in a continous manner and enhance the governance standards that exist in the organization XYZ [4].
COBIT has 34 control objectives and reprised into 4 sections domains: 1). Plan and Organize (PO), includes each strategy, how the contribution of IT to attain the target of the organization. 2). Acquire and Implement (AI), an overview of the changes and improvements of the system are in line with the target organization. 3). Deliver, Service, and Support (DSS), contain the delivery of output over the requested service, it concerns the smooth operation, security, the support service of user. 4). Monitor and Evaluate (ME), this Domain refers to the capacity of the management working level, control within, meet the rules even the availability of governance [5]. DSS Domain is chosen since it is directly concerned with activities within the daily activities as well as the IT governance of information technology in the institution. DSS itself consists of several parts such as: manage operations, service requests and incidents, manage problems, manage continuity, manage security services, manage business.
COBIT has been used in several institution, company and organization such as in education institution [6] and profit company [7] II. RESEARCH METHOD The purpose of this study is "To perform audit activities on information technology using the COBIT 5 framework in the Deliver, Service and Support (DSS) domain" in the XYZ institution. 1) Data: The Data used and attained through the XYZ institution, also known as primary data, were taken directly from the subject through several interview sesión with the concerned IT Staff.
2) Data Collection Techniques: The questions are open-ended question that is based on the COBIT 5 manuals which is not a list of question but rather a to know where certain attributes, feature, activities exist within the company. For example DSS05.01 is concered with proctection against malicious software. So the question would be do the organization implement such protection and if yes, has it been done in ad-hoc basis or it is part of an existing Standard Operating Procedure. The answer to this questions usually followed with direct observation or have a look at the evidence document that suppor such claim.
The interview is carried on to IT Managers who has capacity and knowledge about the infrastructure and services of information technology in organizations XZY. The interview audio is recorded and later on placed on a spreadsheet while is being investigated and analyzed to put the maturity leveel based on the answer.

B. Flow of Research
The flow of research is shown on Figure 2, and below are the description of each step:  the control objective of the DSS so that data can be taken from the questionnaire that had been allocated. 3. Data processing, is to compile the recording and notes results. 4. The next stage after all the data is processed, then the researcher should analyze the data in accordance with the capability level, so that it can be known the extent to which the level of maturity of each process. 5. As the last stage, the researcher will make conclussion and recommendations based ont the results of the analysis obtained from the previous stage.

C. Research Methods
At the stage of research methods, we as researchers use the method of qualitative descriptive that is gaining data to elaborate on the incident or the events that actually occur in the environment of every individual so that researchers can assess the information obtained, by taking the extend information and letting the target or the people who will be interviewed to give an opinion that is open in accordance with the topics while asking the questions required by the researcher.

D. Procedure Determination of Results
The following is the procedure to calculate the result: 1. Each number is attained from the results of the questionnaire question summed based on each sub-domain DSS01 up to DSS06. 2. The researchers took the average amount on each part of the sub-domains in order to see the results of sub-domain starting from the lowest level 0 up to the highest level 5 based on the Process Capability Level. 3. The following stages, from the existing average, the process of deciding the attainment through the percentage obtained from the sub domain is carried out. 4. In the last procedure, determine part of each sub-domain is not attained, attained in part, the most accomplished and attained completely.

III. RESULT AND DISCUSSION
The research focuses on the Deliver, Service and Support (DSS) domain which consists of several parts or subdomains: manage operations, service requests and incidents, manage problems, manage continuity, manage security services, and manage business. Each of these subdomains is set to have maturity level as shown Table I.   TABLE I  MATURITY LEVEL Index 0 meaning the subdomain is not being carried out, Index 1, meaning it is being performed but is not managed within the organization. Index 2, on the otherhand, is being done and managed by the organization, however it is not being defined and is not part of a standard operating procedure (SOP). Index 3 meaning it is part of an SOP thus it is clear the role, task, and expected outcome of the task and routines. Index 4 meaning it is being expected and monitored on a regular basis. Lastly index 5 meaning it is being evaluated and reviewed on regular basis to achieve the best outcome of the task. Table II is how the rounding up process for each score. We conducted the interview in several meeting. Following are the maturity level result for each subdomain from the interview that was conducted as seen on figure 3 :  From the results above, the researchers provide a conclusion as follows: The conclussion of the COBIT 5 Information Technology audit found that overall maturity level of the DSS domain is at Level 2 (Managed Process) which means all tasks are actually being done and managed within the institution with special notes that DSS01 and DSS04 are actually are well documented in terms of SOP. These means there are rooms can be improved and the instition may no need to look far as they could simply follow what has been done on DSS1 and DSS04.
The result of the audit has been handed to the institution head officials and had been explained the result and what can be done to improve the current result.
V. SUGGESTION Below are list of lesson-learned that researchers concluded from these research to help and facilitate other researchers related to COBIT 5: 1. Manage and re-check each question that will be asked to the respondent, and arrange the right words to make it easier for the respondent to answer each question that will be asked. 2. Set the time or schedule the exact day when the interview will be conducted 3. Document interview activities by recording, as long as it takes place during the interview process, this will make it easier for researchers to carry out the auditing process. 4. Increase the scope of the domain that is used not only on the DSS domain 5. There is also a recent COBIT version that is COBIT 2019 that can be explored on the next research.