IT Assessment & Audit
Vendor-neutral IT audit with a prioritised improvement roadmap — delivered across APAC
Brocent delivers structured IT assessments from SME project audits through enterprise security, compliance, and governance programs. Whether you need a Microsoft 365 baseline review for fewer than 20 users, a full 17-service audit catalog, or recurring quarterly and annual packages — we provide risk-ranked findings, jurisdiction-specific compliance notes, and actionable remediation roadmaps across Hong Kong, Singapore, China, India, Taiwan, Malaysia, Vietnam, and Thailand.
Who It's For
From SME baselines to enterprise audit programs
SMEs with fewer than 20 IT users needing a fixed-scope Microsoft 365 and hybrid environment audit with transparent USD pricing.
Enterprises and regulated industries requiring security, compliance, cloud, governance, or vendor audits on a defined cadence.
Organisations with offices across multiple APAC markets needing unified reporting with per-jurisdiction PDPO, PDPA, PIPL, DPDP, and ISO 27001 gap analysis.
Regional Delivery
Compliance-aware audit delivery across APAC
Each engagement maps findings to the privacy and security frameworks relevant to your operating markets. Explore Brocent's regional IT services for local delivery context.
PDPO
Data handling, access control, and SFC-ready documentation
- ▸PDPO gap analysis
- ▸Privileged access review
- ▸Backup and DR readiness
PDPA (PDPC)
PDPA-aware operations and M365 governance
- ▸PDPA compliance audit
- ▸MFA and Conditional Access
- ▸Email security (SPF/DKIM/DMARC)
PIPL / MLPS 2.0
Cross-border data, M365 China tenant, and MLPS alignment
- ▸PIPL data residency review
- ▸MLPS 2.0 gap analysis
- ▸Cloud resource inventory
DPDP Act
Data protection controls and access lifecycle
- ▸DPDP compliance review
- ▸JML permission audit
- ▸Endpoint and backup coverage
Personal Data Protection Act
Local M365 boundaries and collaboration permissions
- ▸Permission and guest access review
- ▸Teams/SharePoint audit
- ▸Mobile device controls
PDPA 2010
SME and regional hub audit delivery
- ▸PDPA 2010 gap analysis
- ▸Asset and patching review
- ▸Wi-Fi and network baseline
Decree 13
Remote discovery plus APAC NOC-supported delivery
- ▸Personal data protection review
- ▸Access and endpoint audit
- ▸Backup verification
PDPA 2019
Bangkok and regional office audit support
- ▸PDPA 2019 alignment
- ▸SaaS permission audit
- ▸Incident response review
IT audit delivery by region
SME Project Audit
Microsoft 365 & hybrid IT audit scope
Fixed-scope audit for organisations with fewer than 20 IT users. Covers identity, access, endpoints, assets, patching, backups, software control, and mobile security — with optional add-ons scoped during discovery.
User Accounts & Authentication
Identity lifecycle and authentication hardening across Microsoft 365 and hybrid directories.
- ▸Microsoft 365 / Azure AD and local account inventory
- ▸Onboarding, offboarding, and dormant account review
- ▸MFA enforcement and password policy assessment
- ▸Privileged and service account management
- ▸SSO and Conditional Access policy review
Access Permissions & Authorization
Least-privilege and segregation-of-duties review across collaboration platforms.
- ▸RBAC across Microsoft 365, file shares, and applications
- ▸SharePoint, OneDrive, and Teams permission audit
- ▸Security group and dynamic group membership review
- ▸Guest and external user access
- ▸Segregation of Duties (SoD) for critical functions
Endpoint Security & EDR
Microsoft Defender for Endpoint and Intune compliance posture.
- ▸Defender deployment and configuration status
- ▸EDR policies, ASR, and exploit protection
- ▸Intune device compliance policies
- ▸Antivirus effectiveness and update status
- ▸Firewall and host-based protection settings
IT Asset Management
Complete hardware, software, and cloud asset visibility.
- ▸Endpoint, server, and peripheral inventory
- ▸Asset tagging, ownership, and lifecycle tracking
- ▸Azure and Microsoft 365 license inventory
- ▸Network device inventory
- ▸Asset disposal and decommissioning procedures
Security Patching & Vulnerability Management
Patch posture and vulnerability remediation process review.
- ▸Windows, macOS, and application patch status
- ▸Microsoft 365 / Azure patch management
- ▸Vulnerability scanning and remediation workflow
- ▸Patch policy and schedule review
Data Backup & Recovery
Backup coverage, testing, and ransomware resilience.
- ▸OneDrive, Azure Backup, and third-party backup review
- ▸Backup frequency, retention, and restore testing
- ▸Server, endpoint, cloud, and email coverage
- ▸DR/BCP and ransomware protection (immutability, air-gap)
Authorized Software & Application Control
Software approval, shadow IT, and license compliance.
- ▸Software approval process and policy
- ▸Approved application inventory
- ▸Application whitelisting / blacklisting
- ▸Shadow IT discovery
- ▸Microsoft 365 and software license compliance
Mobile Device Security
Corporate and BYOD controls via Intune MDM/MAM.
- ▸MDM/MAM policy review via Intune
- ▸Corporate-owned and BYOD enrollment controls
- ▸Work profile separation and containerization
- ▸Remote wipe, encryption, and passcode requirements
- ▸Mobile threat defense capabilities
Network & Email Security
Perimeter and messaging controls often scoped as add-ons.
- ▸Network segmentation and Wi-Fi security
- ▸Anti-phishing and spoofing protection
- ▸DMARC / DKIM / SPF configuration
- ▸Microsoft 365 Secure Score review
Recommended add-ons — scoped during discovery
Section 9 areas and additional compliance frameworks can be included in Comprehensive or Premium tiers:
- ▸Network security (segmentation, Wi-Fi, VPN)
- ▸Email security (anti-phishing, DMARC/DKIM/SPF)
- ▸Cloud security posture (Microsoft 365 Secure Score)
- ▸Logging, monitoring, and SIEM capabilities
- ▸Physical security and office access controls
- ▸Security awareness training and phishing simulation results
- ▸Incident response plan and past incident review
- ▸PDPO, ISO 27001, GDPR, and other compliance gap analysis
SME Project Pricing
Fixed-price audit tiers for fewer than 20 IT users
All prices in USD. Effort estimate: 50–80 hours (senior consultant + support), including documentation, tool-based scans, interviews, and report writing.
Pricing shown is for SME engagements with fewer than 20 IT users. Enterprise and recurring programs are quoted separately.
Core Audit
USD 3,800
Sections 1–8 — full baseline coverage
- ✓User accounts, access, endpoints, and assets
- ✓Patching, backups, software control, and mobile
- ✓Written audit report with prioritised roadmap
- ✓Debrief session with your IT and management team
Comprehensive Audit
USD 4,900 – 5,500
Core + key Section 9 add-ons
- ✓Everything in Core Audit
- ✓Microsoft 365 Secure Score review
- ✓Email security (DMARC/DKIM/SPF)
- ✓Basic network / Wi-Fi review
- ✓Incident response plan review
- ✓PDPO / ISO 27001 gap analysis
Premium
USD 7,000+
Full scope + light remediation support
- ✓Everything in Comprehensive Audit
- ✓Full Section 9 scope as agreed
- ✓4–8 hours post-audit consulting
- ✓Implementation support for top priorities
Full Audit Catalog
17 audit services across 7 categories
Beyond the SME project scope, Brocent delivers enterprise-grade security, compliance, cloud, governance, and specialist audits — each with defined frequency, deliverables, and industry fit.
I — Security Audits
1.Information Security Audit
Quarterly- Endpoint security baseline (EDR/antivirus, disk encryption, screensaver policy)
- USB control policy execution audit
- Remote access / VPN security audit
- MFA coverage audit
- Password policy and shared account audit
- Office equipment security (printers, Wi-Fi)
Best for: All industries; especially organisations with formal security requirements
Deliverables: Audit report + remediation recommendation list
2.Penetration Testing & Vulnerability Assessment
Semi-annual / Annual- External and internal penetration testing
- Web and mobile application testing
- API security testing
- Vulnerability scanning and risk rating
- Social engineering testing
Best for: Internet, financial services, and external-facing systems
Deliverables: Penetration test report + vulnerability remediation plan
3.Log & Activity Audit
Monthly- Tier 1: Endpoint activity logs (login, USB, file copy, printing)
- Tier 2: Data access logs (shares, databases, cloud storage)
- Tier 3: Outbound transmission logs (email, web upload, IM, public links)
- Tier 4: Permission change logs (admin, authorization, policy changes)
- Anomaly detection rule effectiveness and alert response timeliness
- Log integrity and anti-tamper verification
Best for: Family offices, financial institutions, law and consulting firms
Deliverables: Log audit report + anomaly behaviour analysis report
II — Compliance Audits
4.Compliance Audit
Annual / certification cycle- PDPO (Hong Kong) — collection, retention, subject rights, outsourcing
- ISO 27001 information security management system audit
- SOC 1 / SOC 2 audit support
- GDPR compliance audit
- MLPS 2.0 (China) compliance audit
Best for: Hong Kong enterprises, multinationals, financial and medical sectors
Deliverables: Compliance audit report + gap analysis + remediation roadmap
5.Data Protection & Privacy Audit
Semi-annual- Data classification and grading implementation
- Data encryption policy execution
- Data outbound channel control
- External sharing and public link permission audit
- Backup and recovery strategy audit
- Data destruction process audit
Best for: All enterprises processing customer data
Deliverables: Data protection audit report + data map
III — Asset & Infrastructure Audits
6.IT Asset Audit
Quarterly- Full lifecycle audit (purchase, configuration, deployment, destruction, retirement)
- Terminals, network equipment, servers/storage, and software licensing
- Asset tagging and ownership verification
Best for: All enterprises; especially 50+ staff organisations
Deliverables: Asset ledger + asset audit report + license compliance report
7.Network & Infrastructure Audit
Semi-annual- Firewall rule audit and optimization
- Network ACL and traffic baseline audit
- VPN remote access control
- NAS/backup strategy and recovery drill verification
- Network equipment configuration audit
Best for: Enterprises with complex network architectures
Deliverables: Network audit report + topology optimization suggestions
IV — Cloud Platform & SaaS Audits
8.Cloud Platform Security Audit
Semi-annual- Layer 1: Account lifecycle (opening, allocation, change, disable)
- Layer 2: Security baseline (MFA, passwordless, password standards)
- Layer 3: Resource/cost management (isolation, tagging, cost tracking)
- Layer 4: Monitoring/audit (anomaly detection, permission alarms)
- Layer 5: Compliance/reporting (automated detection, report export)
- AWS / Azure / GCP and production/test environment isolation
Best for: Cloud-native and heavy SaaS users
Deliverables: Cloud security audit report + architecture optimization suggestions
9.SaaS Application Audit
Quarterly- Microsoft 365 and Google Workspace security audit
- Email security (SPF/DKIM/DMARC)
- Anti-phishing and spam protection
- Shared permission, abnormal login, and external sharing audits
Best for: All enterprises using collaboration platforms
Deliverables: SaaS security audit report + permission cleanup list
V — Personnel & Permission Audits
10.JML Permission Audit (Joiner / Mover / Leaver)
Quarterly- Joiner: account provisioning timeliness and least privilege
- Mover: permission change timeliness and old permission recovery
- Leaver: deactivation, full permission recovery, device return
- SoD matrix audit, over-permission management, inactive account cleanup
Best for: Enterprises with high personnel turnover
Deliverables: JML audit report + permission optimization suggestions
11.Key Credential Management Audit
Semi-annual- Cloud infrastructure credentials (AWS root, domain registrars)
- Production platform super-admin credentials
- Encryption keys and MFA recovery codes
- HSM backups and encrypted disk recovery keys
- Financial system credentials and break-glass accounts
- Dual-control and credential change approval processes
Best for: Financial institutions, family offices, technology companies
Deliverables: Key credential audit report + management process optimization
VI — Governance & Process Audits
12.Change Management Audit
Quarterly- ITIL change management process execution
- Standard change database compliance
- CAB effectiveness, change freezing, rollback plans, post-change review
Best for: Complex IT environments with frequent changes
Deliverables: Change management audit report + process optimization suggestions
13.Risk Assessment Audit
Quarterly- 5-dimensional risk matrix: business impact, security risk, rollback complexity, resource scheduling, technical feasibility
- Risk classification accuracy and disposal progress audit
Best for: All enterprises; especially high-risk industries
Deliverables: Risk assessment report + risk disposal tracking list
14.Incident Response Audit
Quarterly- 7-step IR process: detection → escalation → notification → repair → recovery → review → improvement
- Alarm response timeliness and RCA quality
- Post-incident improvement implementation audit
Best for: Enterprises with security incident history
Deliverables: Incident response audit report + emergency process optimization
VII — Specialist Audits
15.File & Document Audit
Semi-annual- File access permission audit
- Sensitive document classification and protection
- Document version control and external transmission audit
- Electronic document retention and destruction audit
Best for: Law firms, consulting, design, and document-intensive enterprises
Deliverables: Document audit report + permission cleanup list
16.Physical Security Audit
Annual- Server room access control audit
- CCTV coverage and compliance audit
- Video storage and access audit
- Sensitive document storage environment security
Best for: Enterprises with server rooms or sensitive areas
Deliverables: Physical security audit report + rectification suggestions
17.Vendor & Third-Party Audit
Annual- Vendor security background assessment
- Third-party access security audit
- SLA execution status audit
- Cross-border data compliance audit
Best for: Enterprises heavily dependent on third-party services
Deliverables: Vendor audit report + risk list
Recurring Audit Packages
Ongoing audit cadence — packages A to D
After a baseline assessment, many clients retain Brocent on a monthly, quarterly, semi-annual, or annual audit program. Packages combine catalog services into a predictable delivery rhythm.
Monthly Audit Package
Monthly- ▸Log and abnormal behaviour audit
- ▸Alert response audit
- ▸Monthly management report
Enterprises requiring continuous monitoring
Monthly audit briefing + management dashboard
Quarterly Audit Package
Quarterly- ▸Personnel permission (JML) audit
- ▸IT asset ledger audit
- ▸Security risk assessment
- ▸Quarterly management report
Standard choice for most enterprises
Quarterly comprehensive audit report + improvement tracking sheet
Semi-Annual Audit Package
Semi-annual- ▸Penetration testing
- ▸Backup recovery drill
- ▸Cloud platform security audit
- ▸Semi-annual comprehensive report
Mid-to-large enterprises and high-risk industries
Semi-annual audit report + period summary
Annual Audit Package
Annual- ▸Compliance audit
- ▸SOC / ISO certification audit support
- ▸Annual comprehensive security audit
- ▸Annual summary and next-year planning
All enterprises — annual compliance and management reporting
Annual audit white paper + next-year audit plan
What You Receive
Structured findings you can act on
50–80 hrs
Typical SME project effort
17
Audit services in full catalog
4
Recurring package cadences
8
APAC markets supported
- ✓Tool-based scans (Microsoft Defender, Secure Score, vulnerability tools)
- ✓Stakeholder interviews and documentation review
- ✓Risk-ranked written audit report with executive summary
- ✓Prioritised remediation roadmap (quick wins + strategic investments)
- ✓Debrief session with IT leadership and optional post-audit consulting
How We Work
A structured audit process — no surprises
Scoping & Access
Define audit boundary, access requirements, and regulatory frameworks. Agree read-only credentials and tool deployment plan.
Discovery & Interviews
Automated discovery, tool-based scans, and structured interviews across IT, security, and business stakeholders.
Analysis & Findings
Findings analysed against best practice and jurisdiction-specific compliance requirements. Gaps risk-rated by business impact.
Report & Roadmap
Full audit report delivered with prioritised improvement roadmap. Debrief with your IT and management team.
FAQ
Common questions about IT assessment & audit
Can you audit IT environments across multiple APAC countries? +
Yes. Brocent delivers unified scope and reporting with per-jurisdiction compliance notes for Hong Kong, Singapore, China, India, Taiwan, Malaysia, Vietnam, and Thailand. Remote discovery is combined with onsite work where required, coordinated through our regional service centers.
What is the difference between the SME project audit and the full catalog? +
The SME project audit is a fixed-price engagement (Core from USD 3,800) covering nine baseline domains for organisations with fewer than 20 IT users. The full catalog lists 17 specialist audit services for enterprise and regulated programs — quoted based on scope, frequency, and environment complexity.
How do recurring packages relate to a baseline audit? +
Most clients start with a baseline SME or Comprehensive audit, then move to Package B (quarterly) or Package D (annual) for ongoing governance. Package A suits continuous log monitoring; Package C adds penetration testing and cloud audits on a semi-annual rhythm.
Which compliance frameworks do you assess against? +
We map findings to PDPO (Hong Kong), PDPA (Singapore, Malaysia, Thailand), PIPL and MLPS 2.0 (China), DPDP Act (India), ISO 27001, SOC 1/2, GDPR, and CIS Controls — depending on your operating markets and industry requirements.
Related Services
Extend your security and compliance program
Many audit findings lead naturally to managed services, penetration testing, or consulting engagements.
Ready to assess your IT environment?
Tell us your user count, operating markets, and compliance drivers. We will recommend the right SME tier, catalog services, or recurring package — and respond within one business day.