Lately, many organizations and companies in Malaysia are facing major information systems (IS) security threats such as intrusion, spamming, negligence, and misuse and abuse of information technology (IT) resources. These abnormalities and security risks pose a great challenge for most businesses when it comes to protecting and safeguarding business processes and vital information assets. The reasons for security concerns are primarily due to lack of sufficient and effective IT standards and controls over IT risks in organization business processes. Professional IT auditing and standards bodies, such as ISACA, have sought aggressive implementation on IS auditing standards that specify internal control models, quality standards and frameworks for businesses with substantial IT frameworks. Therefore, auditing of IT systems based on established international standards is a practice that should, in some form or other, be established and regulated in companies and organizations to ensure that such IT controls are in place and functioning efficiently and effectively. Emphasis is now being placed on the adoption of standards such as the International Organization for Standardization’s ISO 17799 and Control Objectives for Information and related Technology (COBIT)1 from the IT Governance Institute. Apparently, the adoption of such standards can help prevent and reduce IT risk, as well as address information security guidance for businesses.
A 2001-2002 survey conducted by a Malaysian IT security body—The National ICT Security and Emergency Response Center (NISER)—found that 72 percent of Malaysian organizations/companies do not have a sound security audit practice.2 The managements of these organizations lack awareness and realization of the organizational weaknesses in their IT systems and framework. The lack of knowledge among users and top management in the area of IS auditing standards was found to be one of the contributing factors reported in this survey. Thus, this study investigates the relationship between organizations’ characteristics and the conduct of audit practices, and addresses the most commonly used standards in Malaysian businesses.
Information Technology Prevalence in Malaysia
In Malaysia, IT has been evident since 1965, when the National Electricity Board pioneered the use of technology for the automation of its payroll system.3 Since then, the government has actively embarked on several IT projects that were involved in computerizing government departments, including the Royal Malaysian Police, Royal Customs and Excise Department, and Dewan Bahasa dan Pustaka. Since 1996, IT in Malaysia has taken a big step; the Multimedia Super Corridor (MSC) was launched in an effort to achieve Malaysia’s Vision 2020, which was inspired by then Prime Minister, Tun Dr. Mahathir Mohamad. The MSC continues to provide a platform enabling an environment for further promoting the development of the IT industry—in hopes that Malaysia will be a fully developed nation by 2020. The increased usage of IT has been further enhanced and witnessed by its wider adoption in commerce, industry, education and health, as well as in mainstream daily life.
The Multimedia Development Corporation (MDeC), formerly known as MDC, a government-owned agency, was set up to oversee the implementation of MSC. MDeC plays a major role in advising the government on legislation, policies and standards related to MSC Malaysia, and promotes MSC locally and globally. In addition, MDeC is actively involved in supporting companies with MSC status. For example, MDeC provides access to grants and funds for information and communications technology (ICT) research and development, foreign market access, technopreneur development programmes specially built for Malaysian ICT small and medium enterprises (SMEs), and facilitation services. MDeC acts as a one-stop center to approve applications for expatriates employed in Malaysia and also serves as a government liaison for various permits or approvals related to government agencies.
As a first step in developing the survey sample, the Malaysian ICT Directory 2004/2005 was used to obtain a complete list of enterprises and institutions operating within the ICT sector. A total of 1,274 active ICT companies were listed in the directory, and from this, 480 companies (MSC and non-MSC) were chosen via a random sample. The 480 selected companies, located in the Klang Valley region, represented the Malaysian ICT companies. In this research, questionnaires were set up as an instrument to collect data. The data collection took place from June 2006 to August 2006. Initially, questionnaires were distributed via respondents’ e-mail addresses. However, due to a poor response rate, the surveys were also mailed and increased feedback resulted. The questionnaire targeted respondents with senior positions, such as chief information officers, IT managers and IT auditors. A total of 33 completed and usable responses were returned, giving a response rate of 6.87 percent.
Of a total of 33 organizations’ responses to the survey, 17 organizations (51.5 percent) are non-MSC status companies and 16 (48.5 percent) are MSC status companies (figure 1).
Data on the employees’ computer literacy in general were collected as well. The majority of companies’ employees gained their knowledge on computers from general courses offered in colleges or universities; a few gained such knowledge via self-study, in-house company training and external training provided by vendors.
Among the 33 companies that were studied, 27 (81.8 percent) have an ICT department. The other six companies do not have an ICT department and have indicated that there was no requirement for their business to have one. Twenty-three companies (69.7 percent) claimed that their ICT department operates as a centralized base for information retrieval; their ICT departments are integrated with other departments (i.e., administration, marketing, finance and stock inventory) for information sharing. As for the communication medium used between departments, it was reported that an intranet is the most favored medium of communication (69.7 percent), followed by telephone (63.6 percent), Internet (36.4 percent), memos (33.3 percent) and other forms (6.1 percent).
IS Auditing Implementation
Twenty companies (60.6 percent) reported that they conduct IS audits; only 11 companies reported having an IT audit department. Companies without an IT audit department explained that there was no requirement for an IT audit department for their business and pointed to a lack of internal expertise in IT auditing. Eleven companies (33.3 percent) have been conducting audits for one to five years. Four companies have been conducting audits for more than five years, but less than 10 years, and another four companies have been conducting audits for more than 10 years. Only one company has been conducting audits for less than a year. The IS auditors were trained through:
- Professional courses in IS auditing (39.4 percent)
- Self-study (36.4 percent)
- External training provided by vendor (27.3 percent)
- In-house company training (18.2 percent)
- Relevant courses at colleges or universities (12.1 percent)
This study also looked at the type of approach used by the companies in conducting IS audits. Nineteen companies (57.6 percent) claimed that they conduct audits through the computer (i.e., computer as the target of audit). Sixteen (48.5 percent) conduct audits with the computer (use the computer as an audit tool) and only nine (27.3 percent) conduct audits around the computer (i.e., auditors trace the transaction, but ignore the computer).
IS Auditing Standard
The types of IS auditing standards being applied within organizations are depicted in figure 2. The ISO/IEC 17799:2000 standard has the highest usage rate, with nine companies complying with this standard (27.3 percent). Eight companies use COBIT (24.2 percent), while use of the IT Infrastructure Library (ITIL) was reported in seven companies (21.2 percent). Only four companies reported compliance with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework (12.1 percent). This study indicates that ISO/IEC 15406, ISO/IEC TR13335, TickIT and NIST 800-14 are not common among Malaysian companies.
Chi-Square Test of Association
Figure 3 shows the results of the Chi-Square Test of Association for the status of the organizations and the conduct of IS audits. Sixty percent of the non-MSC companies have utilized IS audit, as contrasted to 40 percent among MSC companies. The probability value of the association is 0.226, which indicates that the association is not significant (p
Similarly, the Chi-Square Test of Association was conducted among the number of employees in the company, annual sales revenue and the conduct of IS audits. The significance calculated is 0.001 for both variables (number of employees and annual sales revenue), which is well below the alpha level 0.05. Therefore, the size of the company influences the utilization of IS audits.
Discussion and Conclusion
In conclusion, paperless communication has become the favorable choice in today’s communication medium. The survey concluded that companies’ managements strongly believe that conducting IS audits will benefit their organizations. The study’s findings on the use of standards such as COBIT, ITIL and ISO/IEC 17799:2000 are further supported by other literature.4-10
The Chi-Square Test has been used to test the relationship between two variables. This study found that there is no significant association between the status of the company and the utilization of IS audit; on the other hand, there is a statistically significant association among the number of employees, annual sales revenue and the utilization of IS auditing standards. These results conclude that the utilization of an IS auditing standard depends on the size of a company.
1 IT Governance Institute, COBIT, USA, 1996-2007, www.itgi.org.
2 Pardas, A.; “Curbing Threats Through Information Systems Audits,” National ICT Security and Emergency Response Centre (NISER), 29 April 2002, www.niser.org.my/news
3 S.M. Syed-Mohamad; “The Development of Information Technology in the Malaysian Public Sector,” Proceedings of the Pacific Asia Conference on Information Systems, 1995
4 Burrows, J.H.; “Information Technology Standards in a Changing World: The Role of the Users,” Computer Standards & Interfaces, vol. 20, 1999, p. 323-31
5 Iversen, E.J.; “Raising Standards: Innovation and the Emerging Global Standardization Environment for ICT,” STEP Working paper series A022000, The STEP Group, 2000, www.step.no/Notater/A-02-2000.pdf
6 Stephens, D.O.; “International Standards and Best Practices in RIM,” Information Management Journal, vol. 34 (2), 2000, p. 68-71
7 Gerber, M.; R. von Solms; “From Risk Analysis to Security Requirements,” Computers & Security, 20(7), 2001, p. 577-84
8 Jung, H. W. R. Hunter; “The Relationship Between ISO/IEC 15504 Process Capability Levels, ISO 9001 Certification and Organisation Size: An Empirical Study,” The Journal of Systems and Software, vol. 59, 2001, p. 43-55
9 Dodds, R.; I. Hague; “Information Security—More Than an IT Issue?,” Chartered Accountants Journal, December 2004, p. 56-7
10 Von Solms, B.; “Information Security Governance: COBIT or ISO 17799 or Both?,” Computers & Security, 2005
is a lecturer at Universiti Teknologi MARA, Malaysia. Her research interests include IT governance and IT audit. She can be contacted at email@example.com.
Yap May Lin
is associate professor of system sciences at Universiti Teknologi MARA in Malaysia.
Ainon Zarina Mohamed Nadzri
has 15 years of teaching experience in probability and statistics. She has been involved with the Quality Assurance Committee for nine years at Universiti Teknologi MARA. She has contributed to the Science and Technology Encyclopedia and collaboration work between University of Technology, Malaysia, and Institute of Language and Literature, Malaysia.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.