CAT5:A Tool for Measuring the Maturity Level of Information Technology Governance Using COBIT 5 Framework

—Companies have more and more trends to automate their operational and organizational activities, therefore the investment of information technology (IT) continues to increase every year. However, good governance that can ensure the alignment of IT and business strategy and realized benefits from IT investments has not always followed this increase. Measurement of IT governance is then required as a basis for the continuous improvement of the IT services. This study is aimed at producing a tool CAT5 to measure the maturity level of IT governance, thus facilitating the process of improvement of IT services. CAT5 is based on COBIT 5 framework and the design used is Unified Modeling Language. Through stages of information system development, this research results in an application for measuring the maturity level of IT governance that can be used in assessing existing IT governance.


INTRODUCTION
In recent years, due to the increase of IT investment, the IT governance has become a center of interest among practitioners and researchers.
Several issues made its contribution to explain this phenomenon [1]: (1) Business activities became largely dependent in IT systems.(2) Therefore, business failure and success are increasingly dependent on IT (3) IT should deliver value to business and be aligned with the organization's goals.(5) Response to fast changes in business environment.(6) Ensure business continuity.
Further, companies wishing to implement IT Governance must establish a system to measure the maturity of their IT organizations.The purpose of process capability determination is to identify the strengths, weaknesses and risk of each IT processes with respect to a particular specified requirement through the processes used and their alignment with the business need.
It will be interesting to analyze this issue in relation to a largely well-accepted framework as COBIT [4]-currently in its fifth edition-covering the IT activities of the enterprise end to end, therefore, this study has developed a tool CAT5 to measure the maturity level of IT governance: this tool will helps in conducting self-assessments and determining to what extent the implementation of IT governance has been done.Such assessments, will normally be used as part of an enterprise's process improvement program and can then be used to report internally to an enterprise's executive management or board of directors on the current capability of its IT processes and facilitates the development of recommendations and improvements on each weak process, explained in a previous article, that present a design of -roadmap of IT governance implementation‖ [12].The measurement results illustrate the current state to facilitate improvement of IT governance.All processes that exist within the framework of COBIT 5 are used and measured based on COBIT 5 attributes and criteria Capability Model is based on ISO/IEC 15504 (SPICE).This document is organized as follows: first, we introduce the research approach; afterward, we present a summary of requirements on good IT governance maturity assessments; and we explore the evolution of maturity model to COBIT 5 process capability model.Then, we outline the existing tools of IT governance assessment.At the end of this paper, we present the result of the study by showing the design and the layout of the proposed tool CAT5.

II. RESEARCH APPROACH
This research is an engineering study, where the end result is a solution that is used to measure the maturity level of IT governance.For that purpose, the research method used is based on the phases of Software Development Life Cycle (SDLC) and prototyping approach.The final result is still a prototype continues to be developed in line with the needs of on ongoing PhD research which subject is the -Implementation of tools supporting the establishment of IT governance‖.The research starts with the analyzing of the needs of the system, and then proceeds with the design and manufacturing system design using UML and the last is the creation of applications using java/j2ee and MySQL tools.The first phase of testing by the developer uses -Whitebox‖ Testing approach and on the user side uses -Blackbox‖ Testing.

III. LITERATURE REVIEW
In measurement theory, the goodness of an assessment is specified in terms of validity and reliability [9].For practical applications, these benefits need to be traded against the cost of performing the measurement.Table 1 summarized a set of requirements within the domains of validity, reliability and cost.
Process maturity has been a core component of COBIT for more than a decade.Determining the level of process maturity for given processes allows organizations to determine which processes are essentially under control and those that represent potential management challenges [10].
The concept of process maturity in earlier versions of COBIT was adopted from the Software Engineering Institute's.In the last version COBIT Capability Maturity Model has been replaced by the concept of process capability [6] based on the ISO/IEC 15504 (SPICE) standard ‗‗Information Technology-Process Assessment.'' the COBIT assessment program [6] is designed to provide enterprises with a repeatable, reliable and robust methodology for assessing the capability of their IT processes.

Req1
Consistency with common conceptions

Validity
The method should be based on well-known IT governance sources within academia and practice.

Descriptive operationalization Reliability
The method should support unambiguous and objective depiction of IT governance in an organization by means of a precise representation.If two analysts individually face the task of describing the IT governance in an organization, a descriptively operationalized language would result in both obtaining equal models, while a fuzzier language would not.

Normative operationalization Reliability
The method should support unambiguous and objective analysis of IT governance.It should clearly state how different IT governance concerns affect maturity scores.

Support for efficient data collection Cost
The method should provide an efficient representation of IT governance so that data could be collected with little effort.

Req5 Support for efficient analysis Cost
The method should support efficient normative judgments of IT governance so that analysis can be made easily and at a reasonably low cost.

A. COBIT 5 Process Capability Model
The Capability Model is based on ISO/IEC 15504 (SPICE):  Level 0: Incomplete.The process is not implemented or fails to achieve its purpose;  Level 1: Performed (Informed).The process is implemented and achieves its purpose;  Level 2: Managed (Planned and monitored).The process is managed and results are specified, controlled and maintained;  Level 3: Established (Well defined).A standard process is defined and used throughout the organization;  Level 4: Predictable (Quantitatively managed).The process is executed consistently within defined limits  Level 5: Optimizing (Continuous improvement).The process is continuously improved to meet relevant current and projected business goals.
The capability of processes is measured using process attributes, except for the first level (Level 0) in which the goal of the process is not achieved; in all the other levels there is at least one attribute The international standard defines nine process attributes [13]: In COBIT 5 to achieve a given level of capability, the previous level has to be completely achieved.COBIT Process Assessment Model, describe the assessment process activities and an assessment model walkthrough for a proper assessment as shown in figure 2: Fig. 2. COBIT 5 Process Capability Model [8] Initiation: The objective of the initiation phase is to ensure that there is a common understanding with the sponsor on the purpose and scope of the assessment, and to identify the individuals with the appropriate competencies to ensure a successful assessment.
Planning Assessment: The Assessment Planning phase includes such things as: determine the assessment activities, determine the necessary resources and schedule for the assessment, define how the assessment data will be collected, recorded, stored, analyzed and presented and define the planned outputs of the assessment.

Data Collection:
The assessor obtains (and documents) an understanding of the process (es) including process purpose, inputs, outputs and work products, sufficient to enable and support the assessment:  Evidence of process performance for each process within the scope.Evidence includes observation of work products and their characteristics, testimony from the process performers, and observation of the infrastructure established for the performance of the process.
 Evidence of process capability for each process within the scope.Evidence of process capability may be more abstract than evidence of process performance.
In some cases, the evidence of process performance may be used as evidence of process capability.

Data Validation:
The assessor ensures that the data collected is correct and objective and that the validated data provides complete coverage of the assessment scope.
Process Attribute Rating: For each process assessed, rating is assigned for each process attribute up to and including the highest capability level defined in the assessment scope.The rating is based on data validated in the previous activity.
Traceability must be maintained between the objective evidence collected and the process attribute ratings assigned.For each process attribute rated, the relationship between the indicators and the objective evidence is recorded.

Reporting:
The results of the assessment are analyzed and presented in a report .The report also covers any key issues raised during the assessment such as:  Observed areas of strength and weakness  Findings of high risk, i.e., magnitude of gap between assessed capability and desired/required capability

B. Available tools
There are a number of tools: 1) Self-assessment Templates-an Excel file with separate evaluation sheets for all 37 COBIT 5 processes included within the COBIT guidance [13].

is a web based tool available online that allows a user registered with a paid member account to enter basic information about the self-assessment, set expected Capability Levels for each process capability before you begin the assessment, and select only those processes you want to assessment. The tool then walks you through the assessment of each attribute and provides a report that details the results of your selfassessment.
Except for the documentations provided by ISACA to their members, there is a lack of important documentation from other sources regarding the latest version of the framework.

3) Process Maturity Assessment in iServer: iServer IT Governance Accelerator is a paid solution released by "Orbus
Software" [15], that provides comprehensive toolkit for organizations wishing to reference, adopt and align with COBIT 5 IT governance best practices, the toolkit include: -A preconfigured iServer repository based on COBIT5 www.ijacsa.thesai.org-COBIT5 iServer meta-model, highlighting TOGAF touch-points -Complete models of all COBIT5 principles and concepts, with relationships and interdependencies easily reported on using iServer's relationship matrix tool.
-Central repository for all IT governance documentation For the maturity assessment iServer allow to import spreadsheet data from the self-assessment templates into iServer Governance Repository.Once the data is available, there are a number of reports and views that can be generated.
We point out that our research has aim at realization of solution of IT governance; risk and compliance .In this context a first module -roadmap of IT governance implementation‖ was developed [12].Our second module will be an IT Governance self assessment tool such assessments will normally be used as part of an enterprise's process improvement program and can then be used to report internally to an enterprise's executive management or board of directors on the current capability of its IT processes and facilitates the development of recommendations This study showed that existing tools available solutions are not free, and the compatibility with our first module is not provided.Therefore, to overcome these issues, we decide to develop CAT 5 (COBIT 5 Assessment Tool) that helps assessor to conduct measurement of IT process governance maturity level.

IV. CAT5: A TOOL FOR MEASURING THE MATURITY LEVEL
OF IT GOVERNANCE USING COBIT 5 FRAMEWORK The followings are the results of the research in the form of design using UML and the layout of CAT5, which is a webbased tool for measuring the maturity level of IT governance.The application design shown includes Use Case, Activity and Class Diagrams.

A. Use Case Diagram
Use Case diagram, as in Figure 3, describes the relationship of the functionality contained in the application.Actors within the system are Admin and Auditor.The functions that can be performed by the Admin: Manage Questioner function (this function has sub-functions of Update, Delete Criteria of each process attributes and View Questioner), Manage Score and Analysis function (this function has sub-functions of Input Score and Analysis, Generate Maturity Level and Generate Diagram), Manage Report function (this function has sub-functions of Generate Diagram and View Report).While the auditor has the functions of View Questioner Auditor, Input Score and Analysis, and View Report.

B. Activity Diagram
The Activity Diagram, as in Figure 5, describes the business process -Perform an assessment‖ in the system, covering the following: Auditor does Login to the system using Username and Password; System does User Verification, if true, and then the main menu is displayed;  Auditor chooses the Menu Home: The heat map view show;  Auditor chooses a specified process;  Auditor plan an assessment (define start and end assessment dates and participants)  Auditor inputs Score of each criteria;  Auditor inputs comment;  Auditor inputs files as evidences of the given score;  System processes scoring;  When completed, system will do Generate Maturity Level;  When completed, system will do Generate Diagram;  System will display Report;  If the Report needs to be printed, Auditor will do Print Report;  When all the processes have been completed, Auditor can logout from the system.

C. Class Diagram
This application is an object-oriented information system.Relationships between objects in the system are described using class diagram, as in

D. Application Layaouts
The following is the layout of CAT5 a tool for measuring the IT governance maturity levels IT that builds upon the existing design.After log as a user, the first screen shows a heat map view of COBIT5 process maturity as in Figure 6: the heat map view shows the as-is situation of the of all COBIT5 process, each process is colored according to its current level of maturity, and the color scale is at the top right of the screen.
The button ->‖ allows access to the history of all performed assessments of a selected process as shown in Figure 7: a user (admin and auditor) can consult or delete an old maturity assessment.
The button -+‖ allows to perform a new assessment of a selected process, the first step is to plan an assessment, as shown in Figure 8, plan assessment includes defining the start and end date of the assessment and participants.The second step is to perform the maturity assessment, as printed excel self-assessment Templates-questionnaire provided by ISACA, auditor will do the assessment based on criteria and attributes of each process, as shown in Figure 9.There are several methods used in conducting the audit, which are Interview and Document Check.Furthermore the auditor fills out a score of each criteria, evidences for the given score www.ijacsa.thesai.org(Tools or equipment used in conducting the audit) and his field findings as a comment.
Afterward, auditor can generate the assessment report, the result of the assessment will look like in figure 10, that shows a dashboard indicating the score for each attribute and the maturity level of the assessed process calculated based on COBIT 5 framework, this new result will impact the heat map view that's shows the latest maturity level of the assessed process.
Admin can customize Update or Delete criteria following the specificity of the organization as shown in figure 11.all new assessments will follow this modified assessment Form

V. CONCLUSION AND FUTURE RESEARCH DIRECTION
This article is part of a research that aims at realization of solution of IT governance, risk and compliance.A previous article [12] present our first module -roadmap of IT governance implementation‖ was developed [12].This article present CAT5 as a second module for measuring IT governance by utilizing the COBIT5 framework.Such assessments will normally be used as part of an enterprise's process improvement program and can then be used to report internally to an enterprise's executive management or board of directors on the current capability of its IT processes and facilitates the development of recommendations and improvements on each weak process.
Further research is ongoing to provide a third module -Execution of COBIT5 roadmap action plans‖.

Fig. 9 .
Fig. 9. Perform an assessment The stage of design uses diagrams provided in UML, which are the Use Case Diagram, Activity Diagram, Class www.ijacsa.thesai.org