Enhancing Information Technology Governance: A Comprehensive Evaluation Of The 2019 COBIT Framework In The Retail Industry

. A retail company faced challenges such as network issues, unreliable third-party databases, and a lack of employee understanding of input transactions and the introduction of new products or services. The research employed interviews and questionnaires to address these issues and assess the company's information technology governance using the 2019 COBIT framework. The findings would help identify appropriate processes to address the company's difficulties. The prioritized domains included APO12 - Risk Management, BAI03 - Solution Identification and Development, BAI06 - IT Change Management, and BAI10 - Configuration Management. The research revealed that APO12 reached level 3 (highly achieved), while BAI03 and BAI06 reached level 4 (significantly achieved), and BAI10 achieved level 4 (completely achieved), aligning with the company's expectations. These results determine the company's IT governance level and have the potential to enhance its capabilities.


INTRODUCTION
Information technology plays several crucial roles in supporting a company's operations and business processes [1].Some of the key functions of information technology within an organization include aiding in achieving organizational goals, such as enhancing management and operational efficiency, improving the quality of customer service, and serving as an additional decision-making basis [2].To achieve these objectives, information technology must be managed effectively and correctly so that the organization can harness the benefits of its presence [3].Implementing information technology as a tool to support management processes and provide valuable information to all stakeholders can enhance the organization's performance in line with its established objectives [4]- [6].The company was established in 1989 as a diversified product trading company, with its main business activities located in the Tangerang area.It currently employs over 120,000 workers.While the company began its retail business in the Tangerang region, its stores have now spread widely, covering areas from Jabodetabek, Medan, Bali, Batam, Papua, and even internationally in countries such as the Philippines.The company has become one of the giants in the Indonesian retail industry.However, like any organization, the company has faced and continues to face various challenges and their associated impacts.The first set of challenges pertains to external issues, such as network interruptions and problematic third-party databases.For instance, when customers purchase mobile phone credit or make bill payments at the stores and do not receive the credit or payment receipts promptly, it is typically due to issues with third-party network or database problems.Such occurrences result in customer dissatisfaction and tarnish the company's reputation due to prolonged transaction times.
The second set of challenges involves human errors.These errors occur when store employees make transaction input mistakes or lack understanding of new products or services introduced in the store.These errors impede transactions and lead to extended waiting times for customers to complete their payments.Given these challenges, it is imperative for the company to address them promptly [7].The company's core business involves the sale of essential goods and handling public bill payments, which occur daily [8].Any misalignment in business processes, particularly those involving information technology, poses higher risks [9].In particular, network-related issues need immediate resolution through appropriate solutions to reduce network problems.Internally, the company should manage human errors effectively to http://ijstm.inarah.co.id 1390 mitigate these issues' occurrence.Measuring the capability level within the company serves the purpose of enhancing its information technology governance and minimizing the risks it faces [10].Therefore, the measurement of capability levels within the company is conducted to address the identified issues effectively [11].The company is well-suited to conduct an audit of its technology governance using the COBIT 2019 framework to improve its governance practices and align its business processes and information technology seamlessly [12].

II. METHODS
The flow of research conducted in this study is used as a reference in conducting research [13].Figure 1 illustrates the approach employed to assess the company's IT governance capability level.The research methodology applied the COBIT 2019 framework to evaluate the company's IT governance capabilities [14].This comprehensive research encompasses several key stages.It commences with problem identification, focusing on issues related to information technology governance within a retail company.Data is gathered through interviews, questionnaires, and extensive literature review, enhancing the understanding of IT governance evaluation using the COBIT 2019 framework [15].The study progresses to COBIT 2019 objective mapping, aiming to address challenges in daily necessities sales by aligning objectives with existing domains [10].Understanding the enterprise context and strategy is pivotal, involving the identification of goals, strategies, risks, and IT-related issues.The governance scope is initially determined, emphasizing growth, client service, risk management, and innovation [16].

Fig 1. Research Workflow
Following this, the governance scope is refined, extending to encompass internal development, cloud storage, agile IT practices, and careful technology adoption [17].Conflict resolution and the conclusion of governance system design follow, guided by factors like APO12, BAI03, BAI06, and BAI10.The study measures capability levels and conducts GAP analysis, highlighting disparities between current and target levels.Finally, recommendations are provided to enhance the company's IT governance and capability level [18].http://ijstm.inarah.co.id 1391

III. RESULT AND DISCUSSION Problem Identification
The initial step in assessing information technology governance's capability level involves identifying the company's challenges and employing the COBIT 2019 framework for measurement.Representatives, including a company specialist and IT manager, are engaged to gain insights into the company's IT usage and its support for business operations.Based on interview findings, the company identifies a promising digital market, especially during the COVID pandemic, but acknowledges the emergence of associated challenges.These challenges are categorized into external factors and human errors, particularly in transactions involving third-party electronic services, where issues like network or database problems can affect customers' payment records.
The human error factor itself is a factor from within the company such as a store employee who, when making a transaction, has the wrong input or lacks product knowledge.This problem of course has an impact on the company, namely: 1) Networks or databases from third parties or operators that cause problems during transactions.
2) The human error factor causes transactions to be slower and hinders transactions.
COBIT 2019 Objective Mapping There are 4 steps to determine COBIT 2019 objectives that'll be assessed at the company:

Understand the Enterprise Context and Strategy
The evaluation of information technology governance in the company utilizes the COBIT 2019 framework.To measure the capability level of IT governance, objective mapping of the previous COBIT process is conducted.This mapping is facilitated by the COBIT 2019 Design Toolkit, which measures the influence level of each design factor.The design factors are assessed to align with the company's primary goals and ensure a proper objective process mapping.The determination and discussion of this objective process mapping are done collaboratively with the company.

Determine the Initial Scope of the Governance System
The company's enterprise strategy is centered on two key priorities: growth/acquisition and client service/stability, aligning with its mission of achieving customer satisfaction through quality products and services.Innovation/differentiation and cost leadership are considered secondary strategies.Thirteen enterprise goals are aligned with the company's strategic objectives, with four of them rated the highest at 5. These goals focus on competitive products and services, effective risk management, a customer-centric service culture, and innovative product and business development, in line with the company's emphasis on service excellence, stability, and innovation.
The risk profile is structured based on the severity of risks, with very high-risk factors including IT expertise, skills, and behavior, software failures, and logical attacks.These risks are critical due to the company's heavy reliance on IT for operations.IT-related issues are categorized by importance, with critical challenges including significant incidents, inadequate IT resources, obstacles in implementing innovations due to IT limitations, and difficulties leveraging emerging technologies for innovation.These challenges arise from the company's extensive use of technology, leading to disruptions like application errors in its operations.

Refine the Scope of the Governance System
The company's IT governance framework is influenced by several critical design factors.Firstly, the threat landscape it operates within is characterized by a high frequency of IT incidents, both internally and externally, which significantly affect its daily business activities.Secondly, in terms of compliance requirements, the company predominantly adheres to normal standards, reflecting its meticulous commitment to Indonesian laws and regulations.IT plays a pivotal role in the company's operations, primarily as a support system for its business activities.Any errors or disruptions in applications or systems can have a significant impact on the company's overall functioning.Moreover, the company employs a combination of IT sourcing models, utilizing both cloud services and insourced development.Cloud services are primarily employed for data storage, while the company takes charge of internal system and application development and management.In terms of IT implementation, the company has embraced an agile model, http://ijstm.inarah.co.id 1392 which emphasizes iterative software development with predefined rules and solutions agreed upon by division members.This approach promotes flexibility and efficiency in IT projects.Regarding technology adoption, the company takes a cautious "follower" approach.It carefully evaluates emerging technologies, considering their potential benefits and applicability to its operations before making adoption decisions.Lastly, the company qualifies as a large enterprise, as it employs over 250 full-time workers, a classification that is important within the COBIT 2019 framework.These design factors collectively shape the company's IT governance framework and its approach to technology and compliance.

Resolve Conflicts and Conclude the Governance System Design
The organization develops a governance system design for the company, incorporating prioritized governance and management objectives in order to finalize the governance system design and achieve the COBIT 2019 objectives.

Fig 2. Result of Design Factors
Figure 2 displays the findings regarding the COBIT 2019 Design Factors.In this research, the target process for evaluation within the company falls under the APO domain.The choice of the APO domain is in line with the company's specific challenges, notably the issues related to delayed delivery of business requirements during the planning phase, which prompted the adoption of measurement methods using the COBIT 2019 framework.The primary process objectives identified encompass APO12 -Risk Management, BAI03 -Solution Identification and Development, BAI06 -IT Change Management, and BAI10 -Configuration Management.

Analysis of Capability Level Using COBIT 2019
The first step in this process entails generating an audit document that cites tasks within the APO12 -Managed Risk, BAI03 -Managed Solution Identification and Build, BAI06 -Managed IT Changes, and BAI10 -Managed Configuration processes within the 2019 COBIT framework.These tasks are organized into various tiers, facilitating a phased distribution of surveys.After the questionnaires have been distributed and the results collected, they will be further detailed in Table 1.

GAP Analysis
The next step involves conducting a GAP analysis, where the measurement results of the target capability level are compared to the current capability level set in the COBIT 2019 Design Factor within the company.This analysis is elaborated further in Table 2. Through GAP analysis, objective processes that can be recommended for improvement will be determined.The company wants all capability levels to be at level 4 for all objective processes.

Fig 3. Radar Chart Gap Analysis
Figure 3 represents the percentage of gap analysis results and can also be presented in the form of a radar chart, similar from the previous capability level assessment.It reveals the capability level results of specific objectives, indicating that APO12 stands at 84.64%, BAI03 at 78.75%, BAI06 at 82.5%, and BAI10 at 86%.This graphical representation aids in visually understanding the gaps and capabilities across different objectives, providing a comprehensive overview of the company's information technology governance [19].These percentages reflect the effectiveness of the measures in place and highlight areas where improvements may be needed to enhance IT governance [20].

Recommendation
Based on the results of the audit documents, objective processes that have not yet reached the expected level of capability will be given the following level improvement recommendations in Table 3.
Table 3. Recommendations Process Recommendation APO12.01 1) Create a cost measurement report for information technology risk.
2) Carry out the process of risk analysis and data collection to identify risk analysis and effective reporting related to IT. APO12.02 1) Establish documents in the form of problem identification, risk analysis and evaluation as well as risk control to help manage risk.
2) Planning for supervision of the implementation of IS or IT risk management.APO12.03 1) Evaluate the results of risk management work with existing human resources to control and document the results.
2) Conduct a periodic risk analysis to analyze risks.APO12.04 1) Provide up-to-date information regarding technology and information systems to existing resources.APO12.05 1) Collect risk management proposals to complete risk documents.APO12.06 1) Conduct periodic evaluations of third parties regarding risk control, because the company cooperates with third parties in several fields.
http://ijstm.inarah.co.id 1394 Table 3 presents recommendations for enhancing the capability level of objective APO12 related to risk management.The recommendations provided for each sub-objective within APO12 are expected to address the IT risks occurring within the company.These recommendations aim to improve the company's IT governance by addressing specific areas related to risk management.By implementing these suggestions, the company can strengthen its ability to manage and mitigate IT-related risks effectively, ultimately enhancing its overall IT governance framework.

IV. CONCLUSION
The capability levels for specific process objectives within the company's information technology governance framework were assessed.APO12 -Managed Risk process objective was determined to be at level 3, while BAI03 -Managed Solutions Identification and Build, BAI06 -Managed IT Changes, and BAI10 -Managed Configuration process objectives achieved level 4, indicating alignment with the company's expectations.However, a notable gap of one level was identified in the APO12 process objective, where the expected capability was at level 4 but had not yet been attained.To enhance capability, recommendations focus on managing risks related to in-store services, evaluating third-party risk in the field, and reinforcing employee understanding of their role in system management.In the context of measuring corporate information technology governance through COBIT 2019, future research endeavors may consider expanding the scope to include other domains such as Evaluate, Direct, and Monitor (EDM), Deliver, Service, and Support (DSS), or Monitor, Evaluate, and Assess (MEA) within the framework.This expansion can provide a more comprehensive assessment of IT governance capabilities, contributing valuable insights for the company's future information technology governance development. V.

Table 2 .
GAP Analysis