Professional Documents
Culture Documents
IS Auditing Standards in Malaysia
IS Auditing Standards in Malaysia
Super Corridor (MSC) was launched in an effort to achieve Malaysias Vision 2020, which was inspired by then Prime Minister, Tun Dr. Mahathir Mohamad. The MSC continues to provide a platform enabling an environment for further promoting the development of the IT industryin hopes that Malaysia will be a fully developed nation by 2020. The increased usage of IT has been further enhanced and witnessed by its wider adoption in commerce, industry, education and health, as well as in mainstream daily life. The Multimedia Development Corporation (MDeC), formerly known as MDC, a government-owned agency, was set up to oversee the implementation of MSC. MDeC plays a major role in advising the government on legislation, policies and standards related to MSC Malaysia, and promotes MSC locally and globally. In addition, MDeC is actively involved in supporting companies with MSC status. For example, MDeC provides access to grants and funds for information and communications technology (ICT) research and development, foreign market access, technopreneur development programmes specially built for Malaysian ICT small and medium enterprises (SMEs), and facilitation services. MDeC acts as a one-stop center to approve applications for expatriates employed in Malaysia and also serves as a government liaison for various permits or approvals related to government agencies.
Research Methodology
As a first step in developing the survey sample, the Malaysian ICT Directory 2004/2005 was used to obtain a complete list of enterprises and institutions operating within the ICT sector. A total of 1,274 active ICT companies were listed in the directory, and from this, 480 companies (MSC and non-MSC) were chosen via a random sample. The 480 selected companies, located in the Klang Valley region, represented the Malaysian ICT companies. In this research, questionnaires were set up as an instrument to collect data. The data collection took place from June 2006 to August 2006. Initially, questionnaires were distributed via respondents e-mail addresses. However, due to a poor response rate, the surveys were also mailed and increased feedback resulted. The questionnaire targeted respondents with senior positions, such as chief information officers, IT managers and IT auditors. A total of 33 completed and usable responses were returned, giving a response rate of 6.87 percent.
Results
Of a total of 33 organizations responses to the survey, 17 organizations (51.5 percent) are non-MSC status companies and 16 (48.5 percent) are MSC status companies (figure 1).
JOURNALONLINE
department for their business and pointed to a lack of internal expertise in IT auditing. Eleven companies (33.3 percent) have been conducting audits for one to five years. Four companies have been conducting audits for more than five years, but less than 10 years, and another four companies have been conducting audits for more than 10 years. Only one company has been conducting audits for less than a year. The IS auditors were trained through: Professional courses in IS auditing (39.4 percent) Self-study (36.4 percent) External training provided by vendor (27.3 percent) In-house company training (18.2 percent) Relevant courses at colleges or universities (12.1 percent) This study also looked at the type of approach used by the companies in conducting IS audits. Nineteen companies (57.6 percent) claimed that they conduct audits through the computer (i.e., computer as the target of audit). Sixteen (48.5 percent) conduct audits with the computer (use the computer as an audit tool) and only nine (27.3 percent) conduct audits around the computer (i.e., auditors trace the transaction, but ignore the computer). IS Auditing Standard The types of IS auditing standards being applied within organizations are depicted in figure 2. The ISO/IEC 17799:2000 standard has the highest usage rate, with nine companies complying with this standard (27.3 percent). Eight companies use COBIT (24.2 percent), while use of the IT Infrastructure Library (ITIL) was reported in seven companies (21.2 percent). Only four companies reported compliance with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework (12.1 percent). This study indicates that ISO/IEC 15406, ISO/IEC TR13335, TickIT and NIST 800-14 are not common among Malaysian companies. Figure 2IS Auditing Standards Use
40 125%
Data on the employees computer literacy in general were collected as well. The majority of companies employees gained their knowledge on computers from general courses offered in colleges or universities; a few gained such knowledge via self-study, in-house company training and external training provided by vendors. ICT Usage Among the 33 companies that were studied, 27 (81.8 percent) have an ICT department. The other six companies do not have an ICT department and have indicated that there was no requirement for their business to have one. Twenty-three companies (69.7 percent) claimed that their ICT department operates as a centralized base for information retrieval; their ICT departments are integrated with other departments (i.e., administration, marketing, finance and stock inventory) for information sharing. As for the communication medium used between departments, it was reported that an intranet is the most favored medium of communication (69.7 percent), followed by telephone (63.6 percent), Internet (36.4 percent), memos (33.3 percent) and other forms (6.1 percent). IS Auditing Implementation Twenty companies (60.6 percent) reported that they conduct IS audits; only 11 companies reported having an IT audit department. Companies without an IT audit department explained that there was no requirement for an IT audit
2
ISO
/IE
CO C 17
BI
T 00
ITI L
CO S
De
ve
1 Ot
lop
he
79 9
in-
rs
1 Re c
om
0 Tic k
IT ye
0 NI ST
:2
ho
en
80
0 ISO
us e
de
0-
/IE
0 ISO
0%
/IE C TR 13
db
14
15
40
33
xte
rn
al
au
dit
or
Chi-Square Test of Association Figure 3 shows the results of the Chi-Square Test of Association for the status of the organizations and the conduct of IS audits. Sixty percent of the non-MSC companies have
JOURNALONLINE
Pearson Chi-Square
Value 1.463(b)
df 1
utilized IS audit, as contrasted to 40 percent among MSC companies. The probability value of the association is 0.226, which indicates that the association is not significant (p<0.05). Therefore, the status of the company and the utilization of IS auditing are independent of each other. Similarly, the Chi-Square Test of Association was conducted among the number of employees in the company, annual sales revenue and the conduct of IS audits. The significance calculated is 0.001 for both variables (number of employees and annual sales revenue), which is well below the alpha level 0.05. Therefore, the size of the company influences the utilization of IS audits.
10
Pardas, A.; Curbing Threats Through Information Systems Audits, National ICT Security and Emergency Response Centre (NISER), 29 April 2002, www.niser.org.my/news S.M. Syed-Mohamad; The Development of Information Technology in the Malaysian Public Sector, Proceedings of the Pacific Asia Conference on Information Systems, 1995 Burrows, J.H.; Information Technology Standards in a Changing World: The Role of the Users, Computer Standards & Interfaces, vol. 20, 1999, p. 323-31 Iversen, E.J.; Raising Standards: Innovation and the Emerging Global Standardization Environment for ICT, STEP Working paper series A022000, The STEP Group, 2000, www.step.no/Notater/A-02-2000.pdf Stephens, D.O.; International Standards and Best Practices in RIM, Information Management Journal, vol. 34 (2), 2000, p. 68-71 Gerber, M.; R. von Solms; From Risk Analysis to Security Requirements, Computers & Security, 20(7), 2001, p. 577-84 Jung, H. W. R. Hunter; The Relationship Between ISO/IEC 15504 Process Capability Levels, ISO 9001 Certification and Organisation Size: An Empirical Study, The Journal of Systems and Software, vol. 59, 2001, p. 43-55 Dodds, R.; I. Hague; Information SecurityMore Than an IT Issue?, Chartered Accountants Journal, December 2004, p. 56-7 Von Solms, B.; Information Security Governance: COBIT or ISO 17799 or Both?, Computers & Security, 2005
Jasber Kaur is a lecturer at Universiti Teknologi MARA, Malaysia. Her research interests include IT governance and IT audit. She can be contacted at jasber@tmsk.uitm.edu.my. Yap May Lin is associate professor of system sciences at Universiti Teknologi MARA in Malaysia. Ainon Zarina Mohamed Nadzri has 15 years of teaching experience in probability and statistics. She has been involved with the Quality Assurance Committee for nine years at Universiti Teknologi MARA. She has contributed to the Science and Technology Encyclopedia and collaboration work between University of Technology, Malaysia, and Institute of Language and Literature, Malaysia.
Endnotes
1
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. 2008 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
JOURNAL ONLINE