AUDITING of information and communications technology (ICT) systems is still not a common practice among local companies. The National ICT Security and Emergency Response Centre (Niser), based on its Security 2001/2002 survey, found that 72 per cent of respondents dont have a security audit practice.

Most of the 28 per cent of respondents who have, do so because their sectors are regulated, said Nisers assistant director (I) Raja Azrina Raja Othman.

She added that the reason for not having this practice is partly because the organisations are not aware that a weakness in the system may exist or dont realise what is going on in the back end.

There is also a lack of knowledge among users and top management in dealing with this situation, she said.

Raja Azrina said IS security is also often not considered a business objective, and most organisations think it is an expensive process. She added that information system (IS) security audits are important because most tech projects are often rushed, making the systems vulnerable to internal and external threats.

So the more pragmatic way to deal with it is to do an audit, she said.

When doing an ICT audit, companies need to look at areas such as networking and telecommunications, security management, application and system development, and systems architecture and models. They also need to take into account other factors, such as operations security, business continuity and disaster recovery plans, law investigations, and ethics and physical security, Raja Azrina said.

For an effective IS auditing, auditors need wide knowledge and understanding to interpret and present findings in a logical way, so that recommendations and rectifications can be done, she said.

Universiti Kebangsaan Malaysia (UKM)s dean of faculty of information science and technology Prof Dr Aziz Deraman said the Government needs to look into the feasibility of setting up an official body which provides certifications organisations, whose information systems meet a certain security standards.

He said such a body should have a similar role like Sirim, which promotes standardisation and quality of assurance for greater competitiveness.

According to Aziz, the setting up of a standards body for IS is vital as more businesses are being conducted on the Internet, which gives rise to the issues of security of confidential data and information. Previously, information systems were largely closed and client-server based. Now most are linked to the World Wide Web. So the element of rating needs to be there to ensure that the organisations are not exposed to security threats.

Malaysian Institute of Certified Public Accountants president Dr Abdul Samad Alias said with the advancements in technology, auditors need the necessary expertise to be competent and sufficient in auditing IS resources. If the auditors dont understand the system, then they cannot discharge their duty well.