Copyright 2008 ISACA. All rights reserved. www.isaca.org.

IS Auditing Standards in Malaysia

Jasber Kaur, Yap May Lin and Ainon Zarina Mohamed Nadzri
ately, many organizations and companies in Malaysia are facing major information systems (IS) security threats such as intrusion, spamming, negligence, and misuse and abuse of information technology (IT) resources. These abnormalities and security risks pose a great challenge for most businesses when it comes to protecting and safeguarding business processes and vital information assets. The reasons for security concerns are primarily due to lack of sufficient and effective IT standards and controls over IT risks in organization business processes. Professional IT auditing and standards bodies, such as ISACA, have sought aggressive implementation on IS auditing standards that specify internal control models, quality standards and frameworks for businesses with substantial IT frameworks. Therefore, auditing of IT systems based on established international standards is a practice that should, in some form or other, be established and regulated in companies and organizations to ensure that such IT controls are in place and functioning efficiently and effectively. Emphasis is now being placed on the adoption of standards such as the International Organization for Standardizations ISO 17799 and Control Objectives for Information and related Technology (COBIT)1 from the IT Governance Institute. Apparently, the adoption of such standards can help prevent and reduce IT risk, as well as address information security guidance for businesses. A 2001-2002 survey conducted by a Malaysian IT security bodyThe National ICT Security and Emergency Response Center (NISER)found that 72 percent of Malaysian organizations/companies do not have a sound security audit practice.2 The managements of these organizations lack awareness and realization of the organizational weaknesses in their IT systems and framework. The lack of knowledge among users and top management in the area of IS auditing standards was found to be one of the contributing factors reported in this survey. Thus, this study investigates the relationship between organizations characteristics and the conduct of audit practices, and addresses the most commonly used standards in Malaysian businesses.

Super Corridor (MSC) was launched in an effort to achieve Malaysias Vision 2020, which was inspired by then Prime Minister, Tun Dr. Mahathir Mohamad. The MSC continues to provide a platform enabling an environment for further promoting the development of the IT industryin hopes that Malaysia will be a fully developed nation by 2020. The increased usage of IT has been further enhanced and witnessed by its wider adoption in commerce, industry, education and health, as well as in mainstream daily life. The Multimedia Development Corporation (MDeC), formerly known as MDC, a government-owned agency, was set up to oversee the implementation of MSC. MDeC plays a major role in advising the government on legislation, policies and standards related to MSC Malaysia, and promotes MSC locally and globally. In addition, MDeC is actively involved in supporting companies with MSC status. For example, MDeC provides access to grants and funds for information and communications technology (ICT) research and development, foreign market access, technopreneur development programmes specially built for Malaysian ICT small and medium enterprises (SMEs), and facilitation services. MDeC acts as a one-stop center to approve applications for expatriates employed in Malaysia and also serves as a government liaison for various permits or approvals related to government agencies.

Research Methodology
As a first step in developing the survey sample, the Malaysian ICT Directory 2004/2005 was used to obtain a complete list of enterprises and institutions operating within the ICT sector. A total of 1,274 active ICT companies were listed in the directory, and from this, 480 companies (MSC and non-MSC) were chosen via a random sample. The 480 selected companies, located in the Klang Valley region, represented the Malaysian ICT companies. In this research, questionnaires were set up as an instrument to collect data. The data collection took place from June 2006 to August 2006. Initially, questionnaires were distributed via respondents e-mail addresses. However, due to a poor response rate, the surveys were also mailed and increased feedback resulted. The questionnaire targeted respondents with senior positions, such as chief information officers, IT managers and IT auditors. A total of 33 completed and usable responses were returned, giving a response rate of 6.87 percent.

Information Technology Prevalence in Malaysia

In Malaysia, IT has been evident since 1965, when the National Electricity Board pioneered the use of technology for the automation of its payroll system.3 Since then, the government has actively embarked on several IT projects that were involved in computerizing government departments, including the Royal Malaysian Police, Royal Customs and Excise Department, and Dewan Bahasa dan Pustaka. Since 1996, IT in Malaysia has taken a big step; the Multimedia

Results
Of a total of 33 organizations responses to the survey, 17 organizations (51.5 percent) are non-MSC status companies and 16 (48.5 percent) are MSC status companies (figure 1).

JOURNALONLINE

Figure 1Organization Demographic Profile

Variables Organization status Non MSC Company MSC Company Nature of business Sole Trader Sole Proprietor Partnership Corporation Others Type of business Bank & Insurance Retailer Construction Professional Services Others Number of employees Less or equivalent to 50 51-250 251-500 More than 500 Sales revenue Less than RM10 million RM10-25 million More than RM50 million Employees computer literacy General courses in college or university External training provided by vendor In-house company training Self-study Others 4 1 1 8 19 13 7 2 11 12 6 15 25 13 16 20 3 12.1 3.0 3.0 24.2 57.6 39.4 21.2 6.1 33.3 36.4 18.2 45.5 32.5 16.9 20.7 26.0 3.9 1 3 2 20 7 3.0 9.1 6.1 60.6 21.2 17 16 51.5 48.5 Frequency Percentage

department for their business and pointed to a lack of internal expertise in IT auditing. Eleven companies (33.3 percent) have been conducting audits for one to five years. Four companies have been conducting audits for more than five years, but less than 10 years, and another four companies have been conducting audits for more than 10 years. Only one company has been conducting audits for less than a year. The IS auditors were trained through: Professional courses in IS auditing (39.4 percent) Self-study (36.4 percent) External training provided by vendor (27.3 percent) In-house company training (18.2 percent) Relevant courses at colleges or universities (12.1 percent) This study also looked at the type of approach used by the companies in conducting IS audits. Nineteen companies (57.6 percent) claimed that they conduct audits through the computer (i.e., computer as the target of audit). Sixteen (48.5 percent) conduct audits with the computer (use the computer as an audit tool) and only nine (27.3 percent) conduct audits around the computer (i.e., auditors trace the transaction, but ignore the computer). IS Auditing Standard The types of IS auditing standards being applied within organizations are depicted in figure 2. The ISO/IEC 17799:2000 standard has the highest usage rate, with nine companies complying with this standard (27.3 percent). Eight companies use COBIT (24.2 percent), while use of the IT Infrastructure Library (ITIL) was reported in seven companies (21.2 percent). Only four companies reported compliance with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework (12.1 percent). This study indicates that ISO/IEC 15406, ISO/IEC TR13335, TickIT and NIST 800-14 are not common among Malaysian companies. Figure 2IS Auditing Standards Use
40 125%

Data on the employees computer literacy in general were collected as well. The majority of companies employees gained their knowledge on computers from general courses offered in colleges or universities; a few gained such knowledge via self-study, in-house company training and external training provided by vendors. ICT Usage Among the 33 companies that were studied, 27 (81.8 percent) have an ICT department. The other six companies do not have an ICT department and have indicated that there was no requirement for their business to have one. Twenty-three companies (69.7 percent) claimed that their ICT department operates as a centralized base for information retrieval; their ICT departments are integrated with other departments (i.e., administration, marketing, finance and stock inventory) for information sharing. As for the communication medium used between departments, it was reported that an intranet is the most favored medium of communication (69.7 percent), followed by telephone (63.6 percent), Internet (36.4 percent), memos (33.3 percent) and other forms (6.1 percent). IS Auditing Implementation Twenty companies (60.6 percent) reported that they conduct IS audits; only 11 companies reported having an IT audit department. Companies without an IT audit department explained that there was no requirement for an IT audit
2

100% 30 Count 75% 20 50% 10 25%

9 8 7 4 2

ISO

/IE

CO C 17

BI

T 00

ITI L

CO S

De

ve

1 Ot

lop

he

79 9

in-

rs

1 Re c

om

0 Tic k

IT ye

0 NI ST

:2

ho

en

80

0 ISO

us e

de

0-

/IE

0 ISO

0%
/IE C TR 13

db

14

15

40

33

xte

rn

al

au

dit

or

Chi-Square Test of Association Figure 3 shows the results of the Chi-Square Test of Association for the status of the organizations and the conduct of IS audits. Sixty percent of the non-MSC companies have
JOURNALONLINE

Figure 3Association Between Company MSC Status and IS Auditing Conduct

Status of Company Non MSC Company MSC Company Total Does Your Organization Conduct IS Auditing? No Yes 5 12 8 8 13 20
3

Total 17 16 33 Asymp. Sig. (2-sided) .226

6

Pearson Chi-Square

Value 1.463(b)

df 1

utilized IS audit, as contrasted to 40 percent among MSC companies. The probability value of the association is 0.226, which indicates that the association is not significant (p<0.05). Therefore, the status of the company and the utilization of IS auditing are independent of each other. Similarly, the Chi-Square Test of Association was conducted among the number of employees in the company, annual sales revenue and the conduct of IS audits. The significance calculated is 0.001 for both variables (number of employees and annual sales revenue), which is well below the alpha level 0.05. Therefore, the size of the company influences the utilization of IS audits.

10

Discussion and Conclusion

In conclusion, paperless communication has become the favorable choice in todays communication medium. The survey concluded that companies managements strongly believe that conducting IS audits will benefit their organizations. The studys findings on the use of standards such as COBIT, ITIL and ISO/IEC 17799:2000 are further supported by other literature.4-10 The Chi-Square Test has been used to test the relationship between two variables. This study found that there is no significant association between the status of the company and the utilization of IS audit; on the other hand, there is a statistically significant association among the number of employees, annual sales revenue and the utilization of IS auditing standards. These results conclude that the utilization of an IS auditing standard depends on the size of a company.

Pardas, A.; Curbing Threats Through Information Systems Audits, National ICT Security and Emergency Response Centre (NISER), 29 April 2002, www.niser.org.my/news S.M. Syed-Mohamad; The Development of Information Technology in the Malaysian Public Sector, Proceedings of the Pacific Asia Conference on Information Systems, 1995 Burrows, J.H.; Information Technology Standards in a Changing World: The Role of the Users, Computer Standards & Interfaces, vol. 20, 1999, p. 323-31 Iversen, E.J.; Raising Standards: Innovation and the Emerging Global Standardization Environment for ICT, STEP Working paper series A022000, The STEP Group, 2000, www.step.no/Notater/A-02-2000.pdf Stephens, D.O.; International Standards and Best Practices in RIM, Information Management Journal, vol. 34 (2), 2000, p. 68-71 Gerber, M.; R. von Solms; From Risk Analysis to Security Requirements, Computers & Security, 20(7), 2001, p. 577-84 Jung, H. W. R. Hunter; The Relationship Between ISO/IEC 15504 Process Capability Levels, ISO 9001 Certification and Organisation Size: An Empirical Study, The Journal of Systems and Software, vol. 59, 2001, p. 43-55 Dodds, R.; I. Hague; Information SecurityMore Than an IT Issue?, Chartered Accountants Journal, December 2004, p. 56-7 Von Solms, B.; Information Security Governance: COBIT or ISO 17799 or Both?, Computers & Security, 2005

Jasber Kaur is a lecturer at Universiti Teknologi MARA, Malaysia. Her research interests include IT governance and IT audit. She can be contacted at jasber@tmsk.uitm.edu.my. Yap May Lin is associate professor of system sciences at Universiti Teknologi MARA in Malaysia. Ainon Zarina Mohamed Nadzri has 15 years of teaching experience in probability and statistics. She has been involved with the Quality Assurance Committee for nine years at Universiti Teknologi MARA. She has contributed to the Science and Technology Encyclopedia and collaboration work between University of Technology, Malaysia, and Institute of Language and Literature, Malaysia.

Endnotes
1

IT Governance Institute, COBIT, USA, 1996-2007, www.itgi.org.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. 2008 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

JOURNAL ONLINE