Gap Analysis of IT Governance in Supporting Integration of Organizational Universities (Case Study: University of General Achmad Yani Yogyakarta)

Gap analysis is the first step in making universities have good IT governance. Gap analysis is a key requirement that can increase university success. More and more universities rely on information technology to manage universities. Information technology is an integral part of most universities that are currently and certainly will become more critical in the future. Data collection was carried out at the University of General Achmad Yani Yogyakarta. The transition from high school to university made Yogyakarta General Achmad Yani remodel all information systems and networks. The arrangement of information systems and networks that are good and in accordance with standards is nothing but to achieve the vision, mission and support for organizational integration of the University of General Achmad Yani Yogyakarta. The method used in this study is gap analysis and COBIT 5. COBIT 5 is one of the Best Practices on IT governance that describes the main role of information and technology to create "value." COBIT 5 separates the process of governance and management scope process The process of collecting data uses a structured interview method to the University of General Achmad Yani Yogyakarta.From data collection there were 2 IT Goals and 16 COBIT 5 domains namely EDM, APO, BAI, DSS and MEA. Gap analysis results in the EDM03, EDM04 process domain , APO01, APO07, APO10, APO12, BAI06, DSS03, DSS05 and MEA01 get the value of gap 1 and APO03, APO04, APO13, BAI09, BAI10, and DSS01 get the gap value 2. Keywords―IT Governance, COBIT 5, IT Framework, Gap Analysis.


I. INTRODUCTION 1
University is a college that consists of several faculties that hold scientific education. The university is a place to study and gather information for students and equip themselves with skills and expertise. Information Technology makes all processes faster, easier, more efficient and more accurate.
IT participation in the world of education is no longer considered an option, but an absolute necessity that must be owned by the university. The role of IT as an enabler allows universities to realize a faster, cheaper and better 1 Amrina Friska Apriliana and Erma Suryani are with Department of Management Technology, Institut Teknologi Sepuluh Nopember, Indonesia. Email: amrinafriska@gmail.com; erma.suryani@gmail.com. education process. IT must also be in line with the vision, mission and goals of the university, so that a good IT governance system is needed. IT governance is defined as the arrangement of relationships and processes to direct and control universities to achieve goals by adding value and balancing risks to information technology.
In an effort to compile good IT governance a university is required to have qualified and superior competent experts. With good IT governance, it will produce successful universities that have qualified graduates who are ready to compete in the world of work.
The University of General Achmad Yani Yogyakarta is one of the universities that carry out education with the help of information technology. The rapid development of information technology requires the University of General Achmad Yani Yogyakarta to follow the latest developments in information technology to face competition. Until now, the role of IT has a large portion to support the business process of the University of General Achmad Yani Yogyakarta.
With the joining of the College of Health Sciences (STIKES) and the College of Information and Computer Management (STMIK) to become a university, the Central Information System Institute overhauled all information systems and network arrangements at the University of General Achmad Yani. Structuring a good information system and network will provide significant benefits to the university.
To ensure that the business process of the University of General Achmad Yani Yogyakarta runs smoothly, IT governance is made for information systems and networks. IT governance to ensure that information technology can support the University of General Achmad Yani Yogyakarta to achieve the vision, mission and objectives of the university. In making IT governance using COBIT 5 to get the results of recommendations in accordance with the standards. The University of General Achmad Yani Yogyakarta has 2 campuses. The first campus is located on Jl. Siliwangi, West Ringroad, Banyuraden, while the second campus is located on Jl. Brawijaya, West Ringroad, Ambarketawang where both campuses are in Gamping District, Sleman Regency, Special Region of Yogyakarta. Universitas Jenderal Achmad Yani Yogyakarta has representative tuition facilities, international standard laboratories, and is supported by various educational support facilities [1].

B. Institute of Information Center of the University of General Achmad Yani Yogyakarta
The Center for Information Systems (PUSI) is a special part of the organizational structure of the University of General Achmad Yani, who is in charge of managing Information Technology infrastructure and utilizing it in the institutional activities of the University of General Achmad Yani, especially for Academic purposes. PUSI is in the coordination of the Deputy Chairperson of Division I, which is in charge of Academic affairs.
The following activities are among the main tasks & functions performed by PUSI:  Maintenance of computer, intranet and internet network infrastructure.  Maintenance of servers, information systems and their development.  Information technology services both hardware and software for academic activities.  Management of the institution's official website and social network. In its operational activities, PUSI collaborates with the Head of the Laboratory and Laboratory staff, especially for the management of the Computer Laboratory. Besides that, PUSI is assisted by a team of administrators from students. This team was recruited and formed periodically to help optimize the utilization of Information Technology on campus. The Information Center Operational Room is located in the Main Building, 3rd floor, along with the Computer Laboratory for lecture activities [1].

C. Information Technology Governance
Information technology governance is about ensuring management of information technology to support and even align with the business strategy of a company carried out by the board of directors, executive management, and also by management information technology.
By following a formal framework, organizations can produce measurable results to achieve their strategies and goals. Formal programs also consider the interests of stakeholders, as well as staff needs and the processes they follow. In the big picture, IT governance is an integral part of overall corporate governance.
The purpose of building information technology governance is to align IT resources into enablers. With the existence of information technology governance, IT activities can run systematically, in a controlled and effective manner [2].

D. Information Technology
Information technology refers to application technology about data and information, including collecting, showing, dealing with, safe, transmitting, exchanging, appearing, managing, managing, storing, and searching for data and information. Information is used to manage and deal with the common names of different technologies. It uses computer science and communication technology with the aim of developing, installing and implementing information systems and application software. An information technology system is someone adopting and developing a comprehensive structure of information technology to achieve strategic goals. Including management composition and technology. Its management composition includes mission, function and information requirements, disposal systems and information procedures. Technology compositions include technical standards of information used to realize the management system structure [3].

E. Process Reference Model COBIT 5
The COBIT 5 reference model process divides corporate governance and IT management processes into two main areas of activity, governance and management, then divided into several process domains:

1) Governance
Area governance is in the Evaluate, Direct and Monitor (EDM) domain. In the EDM domain there are 5 processes, namely EDM01 (Ensure Governance Framework Settings and Maintenance), EDM02 (Ensure Benefits Delivery), EDM03 (Ensure Risk Optimization), EDM04 (Ensure Resource Optimization) and EDM05 (Ensure Stakeholder Transparency).

F. COBIT 5
COBIT (Control Objectives for Information and Related Technology) is an IT governance model in assessing IT and understanding and managing IT-related risks to help auditors, management, and other users in bridging the gap between expectations and reality of business risks, control needs, and problems. Technical issues so as to meet IT governance requirements and ensure the integrity of information and company information systems. In other words COBIT (Control Objectives for Information and Related Technology) is a set of documentation of best practices for IT Governance that can help auditors, users, and management, to bridge the gap between business risk, control needs and IT technical issues [5]. The COBIT 5 framework is built on five basic principles, which are discussed in detail, and include extensive guidance on enablers for corporate governance and IT management [4].

G. COBIT 5 Cascading Process
The cascading process in COBIT 5 is a mechanism to translate stakeholder needs of stakeholder needs into specific, actionable and adaptable company goals and targets related to IT. This cascading allows setting specific goals at each level and in each area of the company to support the overall goals and requirements of stakeholders [6]. The process is like Figure 1.

H. RACI Chart
RACI Chart is a simple matrix that is used to define roles and responsibilities for each task or decision. Here's a further explanation about RACI:  R (Responsible) is about who gets the task to do. It appoints the person in charge of operational activities that meets the needs and creates the results expected by the organization.
 A (Accountable) is about who is responsible for the success of the assignment given. This refers to the person in charge of the whole task.  C (Consulted) is about who provides input or suggestions. This refers to the role that is responsible for obtaining information from other parts or partners.  I (Informed) is about who is the recipient of information.
This refers to the role that is responsible for receiving the right information to oversee each task given [6].

I. Process Assessment Model COBIT 5
Assessment indicators, shown in figure 8, are used to assess whether process attributes have been achieved. There are two types of assessment indicators:  Process capability attribute indicator, which applies to capability levels 1 to 5.  Process performance indicators, which apply exclusively to capability level 1.  PAM on COBIT 5 is divided into two parts, the first is a scale rating technique used to assess the second part of the process dimension which consists of 5 dimensions of EDM, APO, BAI, DSS and MEA processes. The step process for the judgment is explained in Figure 3. Process performance indicators (basic practices and work products) are specific to each process and are used to determine whether a process is at the capability level 1. These performance indicators consist of basic practices and work products and are exclusive to level 1. Basic practices and work products for each the COBIT 5 process is shown in section 3.0. This is based on COBIT content 5. Process capability attribute indicators are generic for each process attribute for capability levels 1 to 5. Level 1, however, only has a single generic practice indicator for capabilities that are directly aligned with the achievement of specific performance indicators described in the reference model process in section 3.0. The process capability attribute indicators used in the assessment of COBIT 5 process capabilities are: This dimension of capability provides a measure of the ability of a process to meet the company's current business goals or projected for the process. In Figure3 process capabilities are expressed in terms of process attributes grouped into ability levels, the level of ability of a process is determined based on achieving certain process attributes according to ISO / IEC 15504-2: 2003. The rating scale involves the following six levels of ability:  Level 0 Incomplete process -The process is not implemented or fails to reach the goal of the process. At this level, there is little or no evidence of systematic achievement of the process objectives.  Level 1 Process performed (one attribute) -The process that is implemented reaches the goal of the process.  Level 2 (two attributes) -The process carried out described earlier is now implemented in a managed (planned, monitored and adjusted) way and the work product is properly created, controlled and maintained.  Level 3 established (two attributes) -The managed process described earlier is now implemented using a specified process that is able to achieve the results of the process.  Predictable Level 4 (two attributes) -The process described earlier now operates within the specified limits to achieve the results of the process.  Level 5 (two attributes) -Predictable processes described previously are continually being improved to meet current and projected relevant business goals [7]. Each attribute is assessed using a standard rating scale specified in the ISO / IEC 15504 standard. This rating consists of:  N -Not reached. There is little or no evidence of achievement of attributes defined in the process being assessed.  P -Reached in part. There are several proofs of the approach, and some achievements, the attributes specified in the process assessed. Some aspects of attaining attributes may not be predictable.  L -Most are achieved. There is evidence of a systematic approach to, and significant achievement of, the attributes defined in the process being assessed. Some weaknesses related to this attribute may be in the process being assessed.  F -Fully reached. There is evidence of a complete and systematic approach to, and full achievement of, the attributes specified in the process being assessed. There are no significant weaknesses associated with this attribute in the process being assessed There is a need to ensure a consistent level of interpretation when deciding which rank to set. Appraisers use this scale to determine the level of ability achieved. Applied consistently, this criterion allows each assessment to be based on a level of structured formality and allows comparison of assessments across organizations or even in various companies [7].

J. Maturity Level
Maturity Level to measure IT maturity in current companies and to determine IT gaps and how to improve IT maturity in accordance with the company [6]. The COBIT 5 product range includes a process capability model, based on ISO/IEC 15504 internationally recognized software engineering for process assessment standards.
This model achieves the same overall goal of process assessment and process improvement support, namely providing a means to measure the performance of each governance process (EDM-based) or process management (PBRM-based), and will enable areas for improvement to be identified. The step process for the maturity level is explained in Figure 2.

A. The Early Stage
This initial stage has two steps that must be done, namely Literature Study and data collection related to the University of General Achmad Yani Yogyakarta. Literature studies are carried out by finding literature sources and journals related to governance COBIT 5 do that they can support knowledge in the work of IT governance. The results obtained in this chapter have been explained in Literature Review such as information technology, information technology governance, framework COBIT 5.
At this stage data collection is used as input in conducting the analysis phase. Therefore, this stage is carried out in 2 ways, namely by interview and observation. RACI Chart Respondents COBIT 5 is divided into 2 areas, namely governance and management areas. Area governance at the University of General Achmad Yani Yogyakarta is the Kartika Eka Paksi Foundation, while for area management is the organizational structure at the University of General Achmad Yani Yogyakarta. The following is the RACI Chart for the governance area.

B. The Development Stage
In this stage the election of IT Goals resulted in the University of General Achmad Yani Yogyakarta. The results of the selection of IT Goals were obtained from interviews with the Institute of Information Center of the University of General Achmad Yani Yogyakarta. From the interviews, there were 2 IT Goals, namely number 10 Information security, processing and application infrastructure (network security) and number 11 Optimizing IT assets, resources and capabilities (network infrastructure).

C. The Final Stage
The last stage contains preparation of IT governance documents that have been validated by universities and developers. Governance planning is made by considering plans for improvement needed in each process.
The improvement plan is made based on the results of the gap analysis that has been obtained at the development stage. The improvement plan contains recommendations that must be made by the company with the aim of giving direction to the foundation and management in order to achieve the expected level of information technology process capability. Furthermore, the creation of a governance model is manifested in the formulation of company policy proposals related to information technology at the University of General Achmad Yani Yogyakarta.

A. Data and Information Collection
Data and information collection was carried out by observation and interviews at the University of General Achmad Yani Yogyakarta. By joining the IMU Health College (STIKES) and the College of Information and Computer Management (STMIK) General Achmad Yani Yogyakarta, the Institute of Information Centers has overhauled all information networks and systems. The work on this report focuses on networks and information systems at the University of General Achmad Yani Yogyakarta.

B. Data Collection
Data collection is done by observation, interviews and questionnaires. Observations and interviews were conducted to find out information about the current conditions at the General Achmad Yani University in Yogyakarta. The questionnaire was conducted to determine the value of information technology capabilities at the University of General Achmad Yani Yogyakarta. The questionnaire was created using the COBIT 5 template.
The questionnaire respondents were stakeholders from the University of General Achmad Yani Yogyakarta. Respondents are divided into 2 namely governance and management areas. The area governance stakeholders are the Kartika Eka Paksi Foundation which houses the University of General Achmad Yani Yogyakarta. Area management stakeholders are staff of the University of General Achmad Yani Yogyakarta.

C. Selection of IT Goals and Domain COBIT 5
The selection of IT Goals was obtained from interviews with the head of the Information Center Institute. Based on the results of interviews with the Information Center Institution obtained 2 IT Goals. The first IT goal is number

D. Questionnaire Making
The questionnaire used is an assessment model in accordance with ISO / IEC 15504 which is used as a basis for assessing the ability of each COBIT process 5. Questionnaire questions are taken from the process dimensions and process indicators.

E. Data Processing Method
The method of processing questionnaire data to determine the maturity level using a guide from the COBIT 5 Self Assistance Guide. In the guide the first step in assessing each process is to determine whether a process is really being carried out and is achieving results. In the questionnaire there are tables for each process. Indicators at capability level 1 are specific to each process and assess whether the following attributes have been achieved. In conducting assessments for capability level 1 for each process, the extent to which the results for the process need to be decided, as shown in Table 2 [6]. If the process being achieved, gets an F value for 'fully achieved', if only two results are achieved, then it can be assessed L for 'mostly achieved', if only one result is achieved, this can be ranked P for 'partially achieved', and if nothing is achieved, it can be assessed N for 'not achieved'. In some cases, some results are being achieved, in this case L (mostly) or P (partially) will be assessed.

F. Data Processing
16 COBIT 5 domains will measure their capability level. Each COBIT 5 domain process is assessed in stages starting from level 0 to level 6. The rating for each level is null (N), partially (P), largely achieved (L) and fully achieved (F). If the process is declared to get a level if the rating is at level L or F. If a process can proceed to the next level of rating if the rating is at level F.
After filling out questionnaires and interviews with respondents, the University of General Achmad Yani Yogyakarta obtained results of level 2 capabilities for 10 domain processes and results of capability level 1 for 6 processes. The recapitulation results are shown in the table 3.  Table 3, it can be seen that the 10 COBIT 5 process domains are EDM03, EDM04, PO01, APO07, APO10, APO12, BAI06, DSS03, DSS05 and MEA01 at the University of General Achmad Yani Yogyakarta are at level 2, Managed Process, where the process has been explained previously it was implemented and managed by planning, monitoring, adjusting the work products, as well as control and maintenance. For 6 COBIT 5 process domains, namely APO03, APO04, APO13, BAI09, BAI10 and DSS01 are at level 1, namely the Performed process, where the process has been implemented and has achieved the planned goals.

G. Gap Analysis
Gap analysis to find out how much information technology gaps occur at the University General Achmad Yani Yogyakarta. By knowing the gap value of each COBIT 5 domain it is easy to determine the domain that needs improvement. Gap analysis is done by comparing the expected level of maturity of information technology governance with the level of maturity of current information technology governance (as is). From this comparison priority results are obtained for domains that need improvement. Table 5 shows the capability gap analysis that is currently and is expected at the General Achmad Yani University of Yogyakarta. From Table 5, the results of the current capability gap analysis are obtained from those expected by the University of General Achmad Yani Yogyakarta. The results of gap analysis on the process domains of EDM03, EDM04, APO01, APO07, APO10, APO12, BAI06, DSS03, DSS05 and MEA01 get the value of gap 1 where information technology management in the process domain related to information technology at the University of General Achmad Yani Yogyakarta is still not optimal for meet university targets.
Although not yet able to meet university targets, the information technology process domain has been implemented and has succeeded in achieving the results of the expected process.
The results of the gap analysis on the process domains of APO03, APO04, APO13, BAI09, BAI10, and DSS01 obtain a gap value of 2 where management of information technology in the domain of information technologyrelated processes at University of General Achmad Yani Yogyakarta is not optimal to meet university targets. In addition, the university has not implemented the information technology process domain and has not yet achieved the expected results, making it difficult for the university to achieve the set targets.
For 6 COBIT 5 process domains, namely APO03, APO04, APO13, BAI09, BAI10 and DSS01 are at level 1, namely the Performed process, where the process has been implemented and has achieved the planned goals.
The level of capability for the University of General Achmad Yani Yogyakarta is on level 2 on average, namely the Managed Process with L rating (Largely Achieved) where the University of General Achmad Yani Yogyakarta has implemented most of the governance processes.
The results of gap analysis on the process domains of EDM03, EDM04, APO01, APO07, APO10, APO12, BAI06, DSS03, DSS05 and MEA01 get the value of gap 1 where information technology management in the process domain related to information technology at the University of General Achmad Yani Yogyakarta is still not optimal for meet university targets.
Recommendations for improvements are structured as a way to improve the IT process so that it can further achieve a higher level of capability or expected by the University of General Achmad Yani Yogyakarta. The results of the gap analysis on the process domains of APO03, APO04, APO13, BAI09, BAI10, and DSS01 obtain a gap value of 2 where management of information technology in the domain of information technology-related processes at the University of General Achmad Yani Yogyakarta is not optimal to meet university targets.
In this study, only assessing part of the process domain is obtained from the company's objectives. It is hoped that further evaluation of the objectives of other companies that have an important role in supporting IT at the University of General Achmad Yani Yogyakarta that have not been included in this study such as portfolio of competitive products and service, optimization of service delivery costs, optimization of business process functionality, optimization of business process cost, and skilled and motivated people. It is expected that the University of General Achmad Yani Yogyakarta can add employees with qualifications as needed.
It is recommended to the University of General Achmad Yani Yogyakarta to implement governance that has been designed as an IT management effort. By implementing IT governance, the University of General Achmad Yani Yogyakarta can get a higher level.