Opening Remark By
Y.Bhg. Tan Sri Dato’ Setia Ambrin Bin Buang
Auditor General of Malaysia
At the Opening Ceremony of The Information Technology (IT) Audit Course Under the
Malaysian Technical Cooperation Programme (MTCP)
03 November 2009 At The National Audit Academy
Distinguished Guests, Course Instructors,
MTCP Course Participants, Ladies and Gentlemen.
Assalammualaikum, Selamat Datang and a very good morning.
1. On behalf of the government of Malaysia and the National Audit Department, it is a
great pleasure for me to welcome our guests and course participants from 18 countries to this
Ladies and gentlemen,
2. My utmost appreciation goes to the sponsor of this program that is the Economic
Planning Unit of the Prime Minister’s Department. We are indeed honored to host this course
under the Malaysian Technical Cooperation Programme (MTCP) this year. The objective of
MTCP is to share Malaysian development experiences and help capacity building amongst the
participating countries. Therefore, I hope the participants will maximize this opportunity to know
Malaysia, its people, culture and the wide spectrum of cuisines, besides gaining knowledge and
experiences of IT Audit.
3. Information Technology (IT) has progressed rapidly in Malaysia especially after the
launch of the Multimedia Super Corridor (MSC) in 1996 in Kuala Lumpur. MSC has leap
frogged Malaysia to become the hub for IT in this information age. The mode of transaction has
changed from manual to electronic, establishing electronic governments in the country.
4. Information is one the most important resources of an organization, and to protect it
is one the main priorities. In today’s environment we must seek for control and process tools
that guarantee the liability, security and confidentiality of the data that is processed through out
the information system.
5. The setting of controls must be precise and broad, not only should they be focused
on physical and material aspects of security, space assigned to computer systems, the assignment
of access passwords, labeling of equipments, inventories, among other issues, controls must be
established as a logical component.
6. The use of IT has tremendously changed the mode and speed of processing, storage
of data and records. These in turn affect the organization and the procedures of the auditee
(agency’s) accounting and internal control systems. Consequently, the auditors’ techniques and
methodologies in conducting the audit would be affected by the characteristics of the
7. We all know that as the economy and governance begin to experiment with the new
science, the perpetrators of crime may take advantage, making detection difficult if not
impossible. Therefore as they say, diamond cuts diamond we need to use ICT to detect ICT
8. In the traditional auditing environment, fraud usually occurs from inside the audited
entity. For instance, the management commits deliberate top-down frauds by inventing or even
hiding the facts; some of the staff forge, modify or even destroy relevant records to search for
personal benefits. While in IT environment, fraud always come from the outside, for instance,
when the hacker breaks in the system and modifies the data through Internet. Actually such
fraud is against the interests of the audited entity. While the management should take the
responsibility for the weakness, they are also the victim to a large extent. Under such
circumstances, the auditor should differentiate respective responsibilities based on special
consideration before disclosure.
9. The National Audit Department has already embarked into IT Auditing when it
pioneered the use of the Computer Assisted Audit Techniques and Tools (CAATTs) called Audit
Command Language (ACL) since early 1980s in this region. Since then, we have our counter
parts from Indonesia, Singapore and Brunei coming to learn and share experiences for the use of
ACL. ACL is widely used in the analysis of financial data to certify the Financial Statements of
the Federal and State Governments as well as to evaluate existence of internal controls in the
10. As technology progresses, more systems and applications are developed. Federal and
State Governments, local authorities, statutory bodies as well as the religious councils are all
becoming electronic. Hence, it becomes more and more important for the auditors to ensure
sufficient controls exist in the system in order to generate sound Financial Statements at the end
of the year.
11. Over the years we have reported on the internal controls status of the Financial
Accounting Systems of the Federal Government, some statutory bodies and recently the Land
Administration System of the state governments. These findings are indeed adding value to the
aspects of accountability and transparency in the implementation of e-Governments in the
12. In the IT environment, the scope of Auditing includes Internal Controls Review,
System Development Life Cycle Audit, Security Audit, IT Infrastructure and Network Audit as
well as Performance Audit of the IT Systems. In Malaysia, the rapid progress in the electronic
Government Development warrants the change in the mode of audit. ‘Pre auditing’ and
‘concurrent auditing’ are crucial and necessary, rather than ‘post audit’, involving auditors from
the start of the System Development. These are carried out for several high impact IT projects
such as smart schools and Hospital Information Systems (HIS).
13. The Government of Malaysia recognizes the role of the Auditor General (AG) in the
IT agenda. The AG is appointed a member of the highest IT Committee for the government
(JITIK) chaired by the Chief Secretary to the Government. Here, the Auditor General’s opinion
is frequently sought upon before a decision on IT procurement or development is made.
Ladies and gentlemen,
14. I am sure IT development is a significant agenda in your respective countries as well.
It may be to address the ‘digital divide’ amongst communities in the rural and urban areas, or to
‘improve service delivery’ in the government sector. Whichever it is, financial implication is
definitely significant. Therefore, auditors can play an important role to ensure value for money in
these large investments.
15. Recently, NAD Malaysia has raised the issues of source code ownership, wastage on
purchase of Computers, IT project management weaknesses and system development risks. The
government is taking positive steps to remedy weaknesses highlighted. Some roll-out projects
have been put on hold due to comments on their pilot implementation.
16. NAD Malaysia has developed its own IT Audit Guidelines in 2002. With reference
to that document, in 2003, Malaysia chaired the ASOSAI Research Committee together with
China, India, and Australia SAIs to develop the ASOSAI IT Audit Guideline.
17. The instructor’s team for this MTCP course has specially designed the module for an
Internal Controls Review which also includes the use of CAATTs for the data Analysis. It is
hoped that after this program, participants will be able to do a system’s control review and give
an opinion whether the internal controls are present and adequate to mitigate the possible risks
from affecting the Financial Systems. Materials from the International Organization of the
Supreme Audit Institutions (INTOSAI) and the ASEAN Organization of the Supreme Audit
Institutions (ASOSAI) have been referred to for this course. Cases of the IT Audit carried out
by the NAD Malaysia are also used to illustrate some examples.
18. I am convinced that this course will be a good forum for exchange of ideas and
experiences. This course will also give a valuable chance to establish close friendship and ties
between the SAIS. I sincerely hope it will bring results through your close cooperation and full
involvement in the discussions of the related topics of the IT audit.
19. I’m glad to announce that the secretariat has also arranged social programmes during
your stay here in Malaysia, including a home stay at a Malay village. Do enjoy this privilege to
learn the cultures, new places and of course the taste of the local food.
Ladies and Gentlemen,
20. Before I end my speech, let me once again thank all the distinguished guests for your
presence to this gracious occasion. To the MTCP participants, I wish you on enjoyable your stay
in Malaysia and do get to experience what Malaysia has to offer you, besides taking back the
valuable knowledge and experiences of IT Audit that our team of instructors share with you.
Thank you and terima kasih.