Academic Information System Audit Using Cobit 5 Domain APO Framework

The use of Information Technology (IT) in higher education is said to be useful if its application is in accordance with the vision and mission of the organization. Academic information system audit is a method of conducting an assessment or assessment of the academic information system to ensure that the governance and management functions of the information system are implemented properly. Unimal is a university that has implemented information technology in its operational processes. In achieving the organization's vision, the use of IT in the organization must always be monitored so that the services provided to users can be maximized, including by conducting an audit process to identify the level of IT maturity so that IT management can find solutions from processes that are considered less than optimal. The methodology in this study follows the COBIT 5 framework which is one of the best practices in the management of information technology. This study aims to measure the level of capability of Unimal Academic Information Technology using COBIT 5 Domain APO (Align, Plan, and Organise) in the APO01, APO02, APO04 and APO11 processes and provide solutions for improving academic information technology and IT implementation at SIA Malikussaleh University. The focus of the research is also based on the priority needs of the process at the Malikussaleh University and no research has been conducted on the APO COBIT 5 domain. 2 (Managed Processes), meaning that at this level the previously described processes are now implemented and managed by planning, monitoring, adjusting to their work products, controlling and maintaining them.


Introduction
Information technology (IT) is currently a technology that is widely applied by almost all organizations (government, industrial sector, private sector and education). IT is believed to be able to help improve the efficiency and effectiveness of an organization's business processes in achieving its goals [1] [2]. Information is everywhere in organizations that should be seen as a strategic resource as one of the other factors of production. Organizations cannot have strategic value without information assets. Organizations find it difficult to get the right information at the right time in the right quality due to the development of information assets [3] [4]. Today the development of information technology is so fast, the conveniences can already be felt which is the impact of the invention of technology itself. The development of technology, especially in the field of computers, is currently growing very fast. Advances in electronics is one of the factors that support the development of technology which also greatly affects computer science today. Computer science has entered all fields of activity carried out by society. This is evidenced by the widespread use of computers in companies engaged in business, health, services, etc [5] [6] [7]. Academic information system (SIA) is a form of utilization of information technology in the form of software services in the world of education, including the process of student academic information. SIA can be effectively used as a means of supporting lectures supported by the existence of good information technology resources by related organizations. However, AIS that is not properly utilized by its use will only be a complement and not as a supporting tool that will provide benefits to its users [8] [9]. Information System Audit is an evaluation to find out how the level of conformity between information system applications and established procedures and to find out whether an information system has been designed and implemented effectively, efficiently, and economically, has adequate asset security mechanisms, and ensures data integrity adequate [10] [11]. Along with the development of increasingly sophisticated information technology, the need for assurance of the value of information technology, management of information technology risks and the need for control over information have been understood as key elements in the governance of an agency or organization. Agencies must meet the need for information in terms of quality, fiduciary (trust) and security. The management must also pay attention to the optimization of the use of available information technology resources, including applications, information, infrastructure and people. In carrying out these responsibilities and achieving agency goals, management must understand the condition of information technology from the agency and decide what governance should be done and how to control it [12] [13].
In the application of IT in an organization, it is considered very important to implement a framework or framework that is used as a reference by management from planning to IT organization so that it is possible to reach the stage of IT governance. One of the frameworks that has received wide recognition by the international community is: COBIT (Control Objective for Information and Related  Technology) This framework is a standard for IT governance developed by ISACA (Information System and Control Association) and  ITGI (IT Governance Institute). A non-profit organization engaged in IT governance. COBIT has been accepted as an international standard, COBIT focuses on business and aligns with IT and organizational goals [14] [15]. In this audit process, COBIT 5 Domains APO (Align, Plan, and Organise) is used, the focus of the research is also based on the need for priority processes in the academic information system in Unimal and no research has been carried out regarding the APO domain [16].

Definition of Audit
According to [17], what is meant by auditing is the process of collecting and evaluating evidence about information to determine and report the suitability of information with established criteria and carried out by competent and independent people. According to [18] audit is a systematic process of obtaining and objectively evaluating evidence relating to assessments of various economic activities and events to ensure the degree of correspondence between these assessments and establish criteria and communicate the results to interested users. According to [19] explaining the general definition of audit is that "Auditing is an independent investigation of some particular activity". Actually the word audit comes from the Latin Audire which means "hearing about the account's balances" by neutral third parties (no vested interest) regarding the company's financial records managed by certain people who are not the owners.

Audit of information systems/Information Technology
Information Technology Audit is an evaluation of an organization, system, process, or product. Audits are carried out by competent, objective and impartial parties, called auditors. Its purpose is to verify that the subject matter of the audit has been completed or is proceeding in accordance with agreed and accepted standards, regulations and practices. An information systems audit is the process of gathering and evaluating evidence to determine whether computer systems can secure assets, maintain data integrity, can promote the achievement of organizational goals effectively and use resources efficiently. Information technology audit in general is a process of collecting and evaluating all activities of the company's information system. Another term for information technology audit is computer audit, which is widely used to determine whether the company's information system assets have worked effectively and integratedly to achieve organizational targets [19] [20]. According to [21], "Information systems audit is the process of collecting and evaluating evidence to determine whether computer systems can protect assets, maintain data integrity, enable organizational goals to be achieved effectively and use resources efficiently".

Basic Concepts of Information Systems
The system is a collection of interrelated and interacting objects and the relationships between objects can be seen as a single unit designed to achieve one goal [22]. Thus, the system can simply be interpreted as a collection or set of elements or variables that are mutually organized, interact with each other, and depend on each other. According to [23] defines the system as a set of elements that are combined with one another for a common goal. Meanwhile, the definition of the system in the Webster's Unbriged dictionary are elements that are interconnected and form a single entity or organization [24] while the information system is a system whose purpose is to produce information [17] [25].

Information System Components
According to [26] explains that a computer-based information system (CBIS) in an organization consists of the following components: 1. Hardware, namely hardware components to complete the activities of entering data, processing data, and outputting data 2. Software, i.e. programs and instructions given to a computer 3. Database, which is a collection of data and information organized in such a way that it is easily accessible to users of information systems 4. Telecommunications, namely communication that connects system users with computer systems together into an effective work network 5. Humans, namely personnel from information systems, including managers, analysts, programmers, and operators and are responsible for system maintenance.

COBIT
COBIT (Control Objective for Information and Related Technology) is a collection of documentation and guidelines for implementing IT Governance, a framework that helps auditors, management and users bridge the gap between business risks, control requirements and technical issues. COBIT was developed by the IT Governance Institute (ITGI) which is part of the Information System Audit and Control Association [27].
According to [17] [28], COBIT 5 is the latest generation of ISACA guidelines that discuss IT governance and management. COBIT 5 is built on the experience of using COBIT for more than 15 years by many companies and users from the fields of business, IT community, risk, insurance, and security. COBIT 5 defines and describes in detail a number of governance and management processes. COBIT 5 provides a reference process model that represents all processes commonly found in a company related to IT activities. The proposed process model is not just a process model but a comprehensive model. Each company should define its own process area, taking into account the specific situation within the company [16].

COBIT Principle 5
COBIT 5 is based on five key principles for organizational IT governance and management as shown in Figure 2, namely meeting stakeholder needs, covering the entire organization, implementing a single integrated framework, using a holistic approach, and separating governance from management. These five basic principles enable organizations to build an effective governance and management framework, which can optimize investment and use of IT for the benefit of stakeholders. This principle explains that the organization seeks to create value for its stakeholders. Organizations should consider all stakeholders involved when making profit, resource and risk assessment decisions.

Principle 2: Covering the End to End Process of an Organization
This principle explains that COBIT 5 integrates IT governance (IT Governance) with organizational governance (Enterprise Governance). COBIT 5 does not only focus on managing IT functions but also considers information technology as an asset that must be protected as well as an asset that must be protected like any other asset in the organization.

Principle 3 : Applying a Single Integrated Framework.
This principle explains that COBIT 5 allows organizations to use it as an overarching governance and integrator management framework. Cobit 5 is a single and integrated framework because: • COBIT 5 is aligned with other relevant and up-to-date standards and frameworks, and it enables companies to use COBIT 5 as a comprehensive and integrated framework for governance and management. • COBIT 5 is very comprehensive across the enterprise, providing the basis for effectively integrating existing frameworks, standards and other practices.

Principle 4 : Enabling a Holistic Approach
This principle explains that COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system of an organization's IT.

Principle 5 : Separating Governance from Management
This principle explains that the COBIT 5 framework makes a clear distinction between governance and management. Governance involves decision making at a high level, the responsibility of the board of directors under the leadership of the chairman. Meanwhile, management is the responsibility of executive management under the leadership of the CEO.

Capability Level
COBIT 5 introduced the Process Capability Model, which is based on ISO/IEC 15504 standards regarding Software Engineering and Process Assessment. This model measures the ability of each governance process or management process and can identify areas that need to be improved [29]. The following is an explanation of the level of process capability in [30], namely: 1. Level 0 (Incomplete process): Processes are not implemented or fail to achieve their process objectives. 2. Level 1 (Performed process): The process is implemented and achieves its process objectives. 3. Level 2 (Managed processes): The previously described processes are now implemented in a management (planned, monitored and adjusted) and work products are precisely defined, controlled and maintained. 4. Level 3 (Established process): The managed processes described previously are now implemented using defined processes that are capable of achieving their process outcomes. 5. Level 4 (Predictable process): The defined processes described previously now operate within the defined limits to achieve their process results. 6. Level 5 (Optimizing process): The previously described processes are continuously improved to meet the relevant and projected current business objectives.

Study of literature
In this study, a literature study was conducted to find the theoretical basis of previous research related to this research both through online journals and those in the library. The learning process through literature study includes reading, summarizing, and concluding, then the related literature study will be used as supporting material to carry out and work on this research. In this study, a literature study was conducted to find the theoretical basis of previous research related to this research both through online journals and those in the library. The learning process through literature study includes reading, summarizing, and concluding, then the related literature study will be used as supporting material to carry out and work on this research.

Data Collection
Research data consists of two types, namely primary data and secondary data. Primary data is data obtained or collected by researchers directly from the data source. In this study, primary data were obtained in two ways, namely questionnaires and interviews. 1. Questionnaire, the method of data collection is done by distributing questionnaires on information technology governance and academic information system governance in institutions. a questionnaire was conducted to obtain quantitative data related to the level of the company's IT process capability, namely the current capability level (as-is) and the expected capability level (to-be). Questionnaires will be distributed within the scope of agency governance. 2. Interviews, interviews were conducted to the respondents of the questionnaire with the aim that the respondents' understanding of the questions contained in the questionnaire was the same as that intended by the researcher. In addition, interviews were also conducted to obtain data and information related to the management of information technology. Interviews were addressed to parties related to the planning and implementation of IT governance. Figure 2 shows the steps carried out in the research. Secondary data is data obtained or collected by researchers from various existing sources.

Data Processing Fig 2. Research Flowchart
After testing the data, then the reliable and valid data will be calculated based on the capability level model provided by COBIT. The results of the analysis will produce the current level of IT process capability and the level of capability expected by the institution. Furthermore, for information technology processes that are at a low level of capability, special attention needs to be paid to match the expectations of institutional management.

Gap Analysis
At this stage, a comparison will be made between the current state of IT process capability level and the IT process capability level expected by the company. The comparison aims to analyze the extent to which the current information technology process is in accordance with the conditions expected by the institution.

Academic Information System Governance Planning
At this stage the author will design the governance of information systems governance. The governance plan will be designed taking into account the necessary improvement plans for the information system governance processes. An improvement plan will be made based on the gap analysis obtained in the previous stage. The improvement plan contains recommendations that must be carried out by the institution with the aim of providing direction to the management in order to achieve the expected information technology process capability level target. Furthermore, the creation of a governance model will be realized in the form of formulating institutional policy proposals related to information technology.

Results and Discussion
The results of the questionnaire calculations from each respondent's answers have been added up with the score scores for each control process and then calculate the average capability level value to get the capability level value of all respondents. As shown in Tables 1to 6.

APO01 Manage the IT Managementt Framework
At this stage the analysis aims to provide a consistent management approach to enable corporate governance requirements to be met, including the necessary management processes that enable management decision making to take place in the most effective way, with a description of the process clarifying and maintaining the corporate IT vision and mission governance. Implement and maintain mechanisms and authorities to manage information and use of IT in the company to support governance objectives in accordance with guidelines and policies. The expected process capability model from APO1 is level 4 and 5, the process can be predicted from the audit results, see

APO02 Manage Strategy
At this stage, analyze to align the IT strategic plan with business goals. Clearly communicate objectives and related responsibilities so that they are understood by everyone, with strategic IT options identified, structured and integrated with the business plan, with process descriptions providing a holistic view of the current business and IT environment, desired future direction. Leverage the building blocks and components of institutional architecture, including externally delivered services and associated capabilities to enable a fast, reliable and efficient response to strategic objectives. The expected process capability model from APO02 is level 4, a process that can be predicted from the audit results, see

APO04 Manage Innovation
At this stage, analyze to achieve competitive advantage, business innovation, and increase operational effectiveness and efficiency by utilizing information on technological developments. with a description of the process of maintaining awareness of information technology and related service trends, identifying innovation opportunities, and planning how to leverage the innovation business in relation to business needs. Analyzing innovation and business improvement opportunities can be created by new technologies, as well as through existing technologies and business and IT process innovations. Influence strategic planning and enterprise architecture decisions. The expected process capability model from APO04 is level 4, a process that can be predicted from the audit results, see

APO11 Manage Quality
At this stage analyze to ensure consistent delivery of solutions and services to meet company quality requirements and meet stakeholder needs, with a process description defining and communicating quality requirements in all related company processes, procedures and results, including control, continuous monitoring, and use of practices. and proven standards of continuous improvement and efficiency.
The expected process capability model from APO11 is level 4, a process that can be predicted from the audit results, see table 5. It can be concluded that the average process capability of the APO11 Manage Quality domain is at level 2.8, Established process

Conclusion
Based on the results of research and analysis conducted at the agency, it can be concluded that the analysis was carried out using COBIT 5 in the APO (Align, Plan and Organize) domain in the APO01, APO02, APO04 and APO11 processes with the calculation of capability level then the average value was obtained. 2.1 (managed process) to 2.8 (Established Process). This means that IT governance at the institution is still not optimal because it has not reached the expected maturity level of 4. COBIT only provides control guidelines and does not provide operational implementation guidelines. So it is hoped that in the next research process can use an audit model other than COBIT 5 because COBIT only focuses on control and measurement.