Professional Documents
Culture Documents
E Techline Issue 1 2023
E Techline Issue 1 2023
E Techline Issue 1 2023
…1
IIA Malaysia e-techline
February 2023 Issue 1/23
April 2022 Issue 2/22
April 2022
• Security event logs are programmed to capture Network Security Issue 2/22
an audit trail for significant actions, such as Network security controls can be more narrowly
creating new administrator accounts or defined as designed to achieve the following
modifying any configuration items. business objectives:
• Baseline configurations are managed to • Security technologies are implemented to
optimise controls for network performance protect resources in accordance with their
and security. risk-based categorisation.
• Security event logs are configured to capture
• Changes to network and communications
data about significant actions, with enough
technologies or configurations, including
information to promote individual
security patches for relevant applications, are
accountability.
effectively implemented.
• Network management personnel work with IS
• Access to technology resources, both physical
teams to test controls and remediate any
and logical, is sufficiently secured, with system
significant vulnerabilities identified.
administrator accounts authorised according
to the least privilege principle.
Network Operations
The performance and availability of the data and
Communications Management
communications ecosystem needs to be
The processes to manage an organisation’s
monitored, with issues resolved effectively and
communication needs cover end user communication
efficiently.
and collaboration tools, as well as facility infrastructure
connections to telecommunications service providers.
Business resilience objectives for the data network
ecosystem largely consist of ensuring redundant,
Managing the operating relationships with various
failover, and emergency communication
service providers is a significant concern for this
capabilities, as well as developing and testing
grouping of controls. Performance, cost, and resilience
contingency plans.
factors all contribute to management decisions on
which communication and collaboration services to
Monitoring and Operations Assistance
provide the organisation.
Some types of network traffic and system usage
monitoring are performed by network security and
Boundary Defense
IS teams; however, the monitoring usually
External Connections
associated with network operations contributes
When the organisation engages with vendors to
primarily to service availability, rather than
obtain data or services, a connection between the
security, objectives.
two-enterprise network (often called an
interconnection) is typically established.
Nevertheless, some types of cyberattacks result in
traffic anomalies or disruptions to network
When end users attempt to connect a device to the
functions, including changing configuration
enterprise network via the internet, commonly
settings. Therefore, network monitoring processes
referred to as remote access, network controls may
should be coordinated with security controls to
verify the identities of the person and the device,
identify potential cyber incidents in a timely
and ensure that the connection is adequately
manner.
secured.
…2
IIA Malaysia e-techline
February 2023 Issue 1/23
April 2022 Issue 2/22
Resilience This Guide helps internal auditors find the additional
Network and communications management information needed to build tailored audit
personnel are often prominently involved in programmes and meaningful tests of control adequacy
resilience planning efforts, sometimes referred to as and effectiveness.
business continuity or disaster recovery planning. In
some organisations, resilience program ownership
may be delegated to a member of network
management. Additionally, the network hardware,
software, and communication services are critical
infrastructure elements that typically have
contingency plans, redundant or alternate paths,
and geographic distribution capabilities to enhance
their resilience.
…3
IIA Malaysia e-techline
February 2023 Issue 1/23
April 2022 Issue 2/22
TONE AT THE TOP Faster Risk Identification
It often requires poring over an enormous amount
THE DATA DILEMMA: EMPOWERING INTERNAL of data to identify anomalies that can indicate
AUDIT’S USE OF TECHNOLOGY (BY IIA GLOBAL) fraud, errors, or other issues to be addressed.
Advanced technologies can automate such reviews
Knowledge is power, and in a modern business context to help highlight anomalies or other risk
that means leveraging technology for effective use of considerations, leaving internal audit better able to
data in planning, strategising, and decision making. make data-based identifications of high-risk areas.
Unfortunately, organisations may not be benefiting In addition, when auditors can easily select high-
from all the advantages that advanced technologies can risk samples, they spend less time testing and cause
offer to support their goals. When internal audit is less disruption to audit clients.
outpaced by other parts of the organisation in
embracing technology, the valuable assurance and Continuous Monitoring
advisory services it can provide may also be lagging. A data-driven audit can define thresholds that will
trigger alerts for fraud, tagging items by a certain
Boards should be mindful of their internal audit number, amount, category, or frequency of
function’s relationship with technology, ensure transaction. Finding these cases can enable
sufficient resources to acquire needed technology, and internal audit to identify potential breaches in
push internal audit leaders to embrace data analytic. authority, policy, or procedure on a proactive,
automated basis.
A Range of Benefits
Timely Metrics Ease in Sharing Data
Real-time information delivered by advanced Once data has been gathered and analysed, readily
technologies can put companies in a better position available software tools make it possible to create
to track performance and quality and make dashboards and data visualisations that
necessary adjustments and remediation. Real-time communicate results easily and effectively. Instead
indicators make it possible to better align internal of columns of data or complicated charts, facts, and
audit goals with the company’s strategic objectives trends can be shown in digestible pieces. These
as well as its main threats and opportunities. At the graphics can also be tailored to each audience,
same time, the elimination of manual and repetitive providing a concise overview for the board or
tasks enhances productivity and frees internal audit senior management, and allowing for a deeper dive
professionals to provide higher-value insights. into the business unit being audited. Stakeholders
can also receive these reports more quickly than in
Better use of Data the past.
As organisations gather or gain access to more
detail, automated analytics tools make it feasible to Barriers to Overcome
perform more comprehensive and focused reviews Insufficient Investment
that are more likely to deliver useful insights for Although technologies such as data analytics and AI
decision making. In addition, billing data can be have received a great deal of attention, internal
mined to ensure that it jibes with contract terms. audit functions may not yet be able to make the
best use of them.
…4
IIA Malaysia e-techline
February 2023 Issue 1/23
February 2022 Issue 1/22
The need to Upskill the Team
Proficiency in the use of data analytics goes beyond
simply learning a new program. Instead, internal
audit functions need team members who have the
data science and IT skills to put data analytics to
work. Team training and development are integral to
making the best use of existing innovations and
leveraging new ones.
…5
IIA Malaysia e-techline
February 2023 Issue 1/23
February 2022 Issue 1/22
*NEW SECTION* - TECHNICAL WRITER
PROMINENCE OF STRATEGIC AUDITS IN AN ERA OF COMPETITIVE BUSINESS LANDSCAPE (BY JAVEN KHOO AI WEE, CIA, CISA, CFE)
…6
IIA Malaysia e-techline
February 2023 Issue 1/23
February 2022 Issue 1/22
…7
IIA Malaysia e-techline
February 2023 Issue 1/23
February 2022 Issue 1/22
…8
IIA Malaysia e-techline
…7
February 2023 Issue 1/23
February 2022 Issue 1/22
…9