CBCS4103 Audit Security and Control – Audit Team and Controls

The purpose of this assignment is to increase learner’s understanding in Information Technology (IT) auditing process.

Tujuan tugasan ini adalah untuk meningkatkan pemahaman pelajar dalam proses pengauditan Teknologi Maklumat (IT).

Question

IT auditing is essential for organisation to effectively identify potential risks, maintain compliance with regulatory standards, protect critical data, enhance system performance, and build trust among stakeholders. The IT audit process focuses on evaluating system controls to ensure they function as intended across various components, including application systems, operating systems, network infrastructure, databases, physical assets, disaster recovery mechanisms, and cloud-based environments. The scope and complexity of an IT audit may differ depending on factors such as the organisation’s industry, size, and technological environment.

In line with this, your organisation is in the process of forming an IT audit team to evaluate current audit practices and determine the effectiveness of existing system controls. You are required to prepare a detailed report that covers the following aspects:

• IT audit team
• High-performing IT audit team strategies
• Internal controls
• Auditing application system controls
• Auditing operating system controls
• Testing methods and audit documentation
• Auditing technologies or tools

Note:

Please refer to the rubric for detailed criteria and requirements.

Your grade will be based on adherence to the rubric, along with your creativity, originality, and clarity in writing.

Soalan Tugasan

Audit IT adalah sangat penting bagi organisasi untuk mengenal pasti risiko yang berpotensi secara berkesan, memastikan pematuhan terhadap piawaian peraturan, melindungi data kritikal, meningkatkan prestasi sistem, serta membina kepercayaan dalam kalangan pihak berkepentingan. Proses audit IT memberi tumpuan kepada penilaian kawalan sistem bagi memastikan ia berfungsi seperti yang dirancang merentasi pelbagai komponen, termasuk sistem aplikasi, sistem pengoperasian, infrastruktur rangkaian, pangkalan data, aset fizikal, mekanisme pemulihan bencana, serta persekitaran berasaskan awan. Skop dan kerumitan audit IT lazimnya berbeza bergantung pada faktor seperti industri, saiz dan persekitaran teknologi organisasi.

Selaras dengan ini, organisasi anda sedang dalam proses membentuk pasukan audit IT untuk menilai amalan audit semasa dan menentukan keberkesanan kawalan sistem sedia ada. Anda dikehendaki menyediakan laporan terperinci yang merangkumi aspek-aspek berikut:

• Pasukan audit IT
• Strategi pasukan audit IT berprestasi tinggi
• Kawalan dalaman
• Kawalan sistem aplikasi pengauditan
• Kawalan sistem pengoperasian pengauditan
• Kaedah pengujian dan dokumentasi audit
• Teknologi atau alatan pengauditan

Nota:

Sila rujuk rubrik untuk kriteria dan keperluan terperinci.

Gred anda akan berdasarkan kepatuhan kepada rubrik, bersama dengan kreativiti, keaslian dan kejelasan anda dalam penulisan.

Experts Answer on Above Questions on IT Audit Security & Control

IT Audit Team

An IT audit team is comprehensive when it includes an IT audit manager, IT auditor, cyber security specialist, compliance officers and database auditor. The IT members should be well aware of the regulations as applicable as per Malaysian Personal Data Protection Act (PDPA) 2010 along with the industry specific requirements as required by regulators like Bank Negara Malaysia (BNM).

High performing IT audit team strategies

The audit team is required to perform regular audits aimed at identifying high risk systems, make use of data analytic tools to identify any irregular patterns in the data, perform continuous training on cyber security threats, and ensure regular communication with the IT team personals and review performance to improve future audit effectiveness.

Internal control

The internal controls that can be applied are multi factor authentication for providing access to systems, automated backup system and disaster recovery procedures, implementing access controls to sensitive data, and performing continuous monitoring of audit logs to track user activities and system changes.

Auditing application system controls

The auditor is required to ensure complete verification in areas including the access right is available to authorised personnel, input validation are in place to restrict fraudulent data entry, any major changes require proper approval, and critical processes should comply with regulatory requirements.

Auditing operating system control

With respect to operating system controls, the auditor needs to make sure that proper password and account management policies are in place, integration of anti malware and endpoint security controls in place, proper patch of operating system with management practices, and system configuration settings comply with security standards like ISO 27001.

Testing methods and auditing documentation

The testing methods that can be considered appropriate are carrying out an enquiry with IT personnel, performing a thorough observation and monitoring of system processes, regular audit of system logs and vulnerability scanning and penetration testing. With respect to audit documentation, the auditor should make sure that there is proper audit plan and scope, test results and evidence are available, and a final audit report available for management review.

Auditing technologies or tools

The IT audit manager should consider the application of common tools that are used in Malaysian businesses including ACL analytics to perform data analysis and detect fraud, Microsoft power BI for audit reporting and visualisation, Nessus to perform assessment of any kind of vulnerabilities, Wireshark to analyse the network traffic and Splunk for log data analysis and management.

Want Detailed Answers with References?

A complete IT auditing requires proper knowledge of audit procedures, cyber security controls, regulatory compliance and audit technologies. As a Malaysian student, if you need help with IT reports, case studies or research, you can seek assistance from Professional IT experts available at Student Life Saviour Malaysia to improve the quality and accuracy of your submission.