Leveraging COBIT 2019 to Implement IT Governance in Mineral Mining Company

The integration of Information Technology (IT) in companies comes with its own set of challenges. One major issue is the loss of operational data, which directly affects the company's workflow and disrupts its activities. To tackle this problem, the company assesses its IT capability using the COBIT 2019 framework. This framework outlines the objectives of different IT processes and assigns predetermined values to each process. The assessment reveals three levels of IT capability for specific processes within the company: EDM03 (Ensured Risk Optimization) at level 3, APO13 (Managed Security) at level 2, and MEA03 (Managed Compliance with External Requirements) at level 3. The company aims to reach level 4 for these processes. Consequently, recommendations for improvement primarily focus on enhancing the management of information security risks and information security management systems, as well as increasing compliance with policies and regulations.


INTRODUCTION
In the contemporary era of advanced technology, numerous challenges emerge, prompting companies to integrate information technology into their business processes.These companies utilize their business procedures to reinforce information technology, aiming for a more efficient and functional system that can yield optimal outcomes.Information technology entails the application of technology to process data, encompassing operations such as data processing, collection, storage, and manipulation using various methods.The goal is to generate high-quality information characterized by its relevance, accuracy, and timeliness.Such information serves personal and business objectives, playing a crucial role in strategic decision-making [1].
Information Technology (IT) stands as a pivotal catalyst that enables companies to venture into new markets, foster innovation, and develop fresh products and services, thereby supporting corporate expansion.The revolution in information technology and the advent of the internet empowers companies to achieve remarkable financial performance by exchanging information through digital means and online platforms, thereby streamlining global business transactions.Empirical evidence underscores the immense significance of IT in corporate contexts [2].IT Governance pertains to the framework and processes that organizations employ to regulate and oversee the utilization of information technology (IT) in alignment with business goals [3].This approach ensures adherence to regulatory requirements, facilitates effective IT risk management, and maintains synergy between IT and broader business objectives [4].In mining companies, IT challenges encompass issues such as server downtime and delays in transmitting mining activity reports.The company primarily relies on outsourced IT services to facilitate its operational undertakings [5].The predicaments encountered by the company wield a direct influence on its operational workflows, manifesting as disruptions in operational activities and sluggish responsiveness to issues arising in the mining sector, thereby impeding decision-making processes.A summary of these challenges is presented in Table 1.Disruption in decision-making, especially when problems occur in the mining area because information received when problems occur is not fast.
IT governance is a critical approach adopted by companies or organizations to realize their objectives through the implementation of Information Technology (IT) [6].The management of IT ensures the assessment of the efficiency and effectiveness of an organization's business processes through IT-related structures in alignment with strategic objectives [7].This is achieved by incorporating industry best practices into the planning, administration, implementation, execution, and monitoring of IT activities [8].The overarching goal is to ensure that IT operations robustly contribute to the attainment of corporate goals [9].The governing framework employed in this process is the 2019 version of COBIT (Control Objectives for Information and Related Technologies) [10].
COBIT serves as a comprehensive framework designed for the governance and management of enterprise information and technology [11].It is intended to encompass the entire scope of a company's operations [12].Enterprise IT encompasses all technological and information processing activities employed by a company to achieve its objectives, regardless of their location within the organization [13].This signifies that corporate IT extends beyond the confines of the IT department and encompasses various facets of the organization [14].The choice of the COBIT framework is rooted in its status as an international standard for IT governance.COBIT strives for broad adoption within the realm of management, serving both as a practical tool and a standard for IT management practices [15].

METHODS
The method employed in the implementation of IT Governance using the COBIT 2019 framework within a company utilizes a qualitative approach.This approach involves gathering data related to the condition and requirements of IT to analyze the level of IT governance capability within the company [16].Figure 1 represents the framework utilized for the research on measuring governance capability based on a case study of a company using the COBIT 2019 approach.
1. Problem Identification: In this initial stage, the identification of IT problems that directly affect the company's business processes is conducted.These issues are identified through interviews conducted with the company's director.After conducting interviews about these IT challenges, two areas of problems are identified.2. COBIT 2019 Analysis Process: During this stage, the selected domain is determined based on the identified problems.Furthermore, the company's level of information technology capability is measured.This process involves utilizing the COBIT 2019 analysis approach, which includes steps such as analyzing company objectives, designing a factor toolkit, creating a RACI Chart, assessing capability levels through audit documents, analyzing the value of activities within the chosen domain, and identifying gaps [17].3. Findings and Impact: The objective of this stage is to generate findings derived from the value assessment of activities within the chosen domain.If an activity's value is below 50%, it signifies the need for further exploration.The outcomes of this process lead to the identification of findings and their corresponding impacts, which subsequently guide the formulation of recommendations [17].4. Improvement Recommendations: This phase aims to provide recommendations based on the identified findings.These recommendations are aligned with the guidelines established by COBIT 2019.They serve as a roadmap for the company to initiate planning and implement improvements, building upon the recommendations provided [18]. 5. Conclusion: During this stage, conclusions are drawn by considering critical points from each preceding phase.The results obtained from the audit process are synthesized at this juncture.The recommendations and results stemming from the audit can be harnessed by the company for enhancing its IT landscape.These insights contribute to the company's desired improvement trajectory and serve as a reference for future enhancements [18].

Data Analysis Technique
There are 3 data analysis techniques used:

COBIT 2019 Design Factor Toolkit
In this study, the data analysis technique employed is the COBIT 2019 Design Factors Toolkit provided by ISACA.The COBIT 2019 Design Factors Toolkit aids in determining process objectives for the company's governance system and measures the level of process factor influence.The process of utilizing the provided COBIT 2019 Design Factors Toolkit involves interviewing the company to design and implement critical design factors within the Information Technology (IT) system and processes.These design factors are crafted to ensure that the IT system effectively and efficiently supports the organization's business objectives and needs.This step includes 11 criteria, presenting questions based on the Design Factors Toolkit and generating values to acquire the COBIT 2019 domain [19].

Capability Level Analysis
The analysis of the capability level or level of capability in this study was based on the interviewees' answers regarding the evaluation given to informants during interviews for all selected COBIT-19 functions.This assessment will consider the scale used to determine whether the COBIT-19 process stops or continues to the next level [20].The following is the scale used: 1) N: Not Achieved (0 to 15%) We found little or no evidence-gaining scale related to the computed process attributes.

2) P: Partially Achieved (> 15% to 50%)
There is some evidence of the scale of the estimated process attribute gain.Some attribute gains may be unpredictable.

3) L: Largely Achieved (> 50% to 85%)
There was evidence of a systematic approach to scale and significant achievement of the calculated process attributes.Some of the weaknesses related to this attribute are that it is contained in the calculated process.4) F: Fully Achieved (> 85% to 100%) Found complete evidence of a systematic approach scale and full achievement of the calculated process attributes.

GAP Analysis
In this research, the second data analysis technique is to look for gaps from the results of the current capability level with the target capability level desired by the company.The value of the gap is obtained from the results of interviews with the company through audit documents.This value is obtained from the calculation between the desired capability target and the capability that has been obtained.The step to determine the gap is by calculating the results of the target level that has been achieved with the target level determined by the company.This process generates a gap score that is used as an evaluation by companies to improve their IT governance [21].

RESULTS AND DISCUSSION
Here are the results of the analysis and discussion of the study, along with the stages of the COBIT 2019 framework.Ray Farhan Mubarak, Melissa Indah Fianty | 1063

Problems Identification
The initial stage in conducting a measurement of the company's IT governance involves identifying issues occurring in the company's IT that directly impact its business processes.The interviews yielded the following problems: 1) Server downtime resulting in the loss of operational data, leading to delays in operational activities.2) Delay in delivering mining activity reports, impacting planning decisionmaking and response to decision-making during mining site issues.

COBIT 2019 Objective Mapping
The level of IT governance capability can be measured by first mapping the COBIT objectives.Mapping COBIT objectives is done using the COBIT 2019 Design Toolkit.The COBIT 2019 Design Toolkit measures the level of influence of each existing design factor.In this study, the level of influence of design factors will be measured for mapping the COBIT objectives as determined by the company's goals, thus determining the company's priorities [22].steps.These steps will yield prioritized governance objectives for the company, in order to create a governance system that aligns with the company's needs [23].

Understanding the Enterprise Context and Strategy
The company conducts an examination of the company's strategy, company objectives, IT risk profile, and IT-related issues, with a focus on providing services to customers.

Determine the Initial Scope of the Governance System
The company establishes the initial scope of the governance system by measuring design factors 1-4 to ascertain the company's strategy, objectives, risk profile, and IT-related issues.

Improving the Scope of the Governance System
The enterprise expands the initial scope of the governance system by measuring design factors 5-11 to determine vulnerabilities, compliance, IT roles, IT resources, IT implementation methods, used technologies, and company size.

Concluding the Governance System Design
The company generates a governance system design for the enterprise that encompasses prioritized governance and management objectives in order to formulate the governance system design and attain COBIT 2019 objectives [24].

Measuring Capability Level
Based on the assessment results obtained from interviews with the Head of IT Division and the Head of Business, here are the average calculations for each objective and its capability level.

EDM03 (Ensured risk optimization)
The average calculation results for EDM03 are as follows.Progressing to Level 4 is not feasible, as the required minimum increase to the next level is 85% or higher.These findings have resulted in conclusions and recommendations to be provided on the following page.Activities scoring below 50% will lead to findings and their associated impacts.Recommendations are given in hopes of resolving this issue.

APO13 (Managed security)
The average calculation results for EDM03 are as follows.Table 3 represents the results of measuring the capability level of the APO13 domain, which is at Level 2 after an assessment of the APO13 domain activities.This is due to the failure to meet the minimum requirement for a level increase of 85%.The total score obtained for APO13 Level 2 is 59.5%.Consequently, this result cannot progress to Level 3. APO13 is the only domain that does not advance to Level 3, primarily due to the multitude of issues, systems, and SOPs that the company has yet to address.This situation has revealed findings and impacts, which will be accompanied by recommendations to enhance information technology within the company.

MEA03 (Managed compliance with external requirements)
The average calculation results for EDM03 are as follows.This outcome is satisfactory for the company as it remains at Level 3. From their perspective, at this level, the company has demonstrated adequate compliance with government-established policies, regulations, and standards.

Gap Analysis
The results of all activity assessments for the selected domains, namely EDM03, APO13, and MEA03, have been calculated and the results obtained at the level of each domain.The next process is to analyze the gaps in each domain.The process of comparison between the actual state (as-is) with the desired condition (to-be) or expected standard.Figure 4 shows the radar chart of the gap analysis of the 3 selected domains that have produced capability levels, namely EDM03, APO13, and MEA03.From these results it can be identified data gaps with level expectations, then from the results of these measurements obtained findings and impacts of sub-processes that cause the level of capability levels not in line with level expectations.Company needs to conduct a comprehensive evaluation of its existing policies, standards, and procedures to identify compliance gaps.
Table 9 shows recommendations for improving MEA03 Level 3 activities based on the identified findings and impacts.These recommendations are based on the COBIT 2019 guidelines.The provided recommendations are aimed at addressing the deficiencies based on the previously identified findings and impacts.It is expected that these recommendations can be implemented to resolve issues in the MEA03 domain.

CONCLUSION
The assessment of the Information Technology capability level within the company, conducted through the COBIT 2019 framework, indicates that in the EDM03 domain, the level is at 3, in the APO13 domain, it's at 2, and in the MEA03 domain, it's also at 2. These results are used to measure, evaluate, and enhance IT governance practices within the company's mining operations.The targeted capability levels are set at levels 3 and 4. It's evident that there is a onelevel difference between the current capability level and the targeted capability level.The recommended improvements primarily revolve around information security risk management, strengthening the information security management system, and enhancing compliance with established policies and regulations.Additionally, emphasis is placed on ensuring that employees have a comprehensive understanding of their roles in maintaining information security, managing information security systems, and evaluating policies and regulations that haven't been implemented yet.

Figure 2 .
Figure 2. Governance System Design WorkflowFigure2the workflow of the COBIT 2019 governance design, consisting of 4 steps.These steps will yield prioritized governance objectives for the company, in order to create a governance system that aligns with the company's needs[23].

Table 1 .
Scope of the Problem

Table 5 .
GAP Analysis

Table 5
it shows the domains EDM03, APO13, and MEA03.The expected level for each domain is 4, and the assessment results for the capability levels of each domain are at level 3. Therefore, each domain has a gap of 1 level from the expected capability level.Below is a radar chart depicting the gap analysis.

Table 6 .
Expected Company Capability Target Ray Farhan Mubarak, Melissa Indah Fianty | 1069 are in accordance with the COBIT 2019 guidelines.Below is a table detailing the improvement recommendations for the MEA03 activity.