B BROCENT
All Services

IT Assessment & Audit

Vendor-neutral IT audit with a prioritised improvement roadmap — delivered across APAC

Brocent delivers structured IT assessments from SME project audits through enterprise security, compliance, and governance programs. Whether you need a Microsoft 365 baseline review for fewer than 20 users, a full 17-service audit catalog, or recurring quarterly and annual packages — we provide risk-ranked findings, jurisdiction-specific compliance notes, and actionable remediation roadmaps across Hong Kong, Singapore, China, India, Taiwan, Malaysia, Vietnam, and Thailand.

Hong Kong Singapore China India Taiwan Malaysia Vietnam Thailand
Coverage Hong KongSingaporeShanghaiBeijingMumbaiBangaloreTaipeiKuala LumpurHo Chi Minh CityBangkok All Cities →

Who It's For

From SME baselines to enterprise audit programs

SMEs with fewer than 20 IT users needing a fixed-scope Microsoft 365 and hybrid environment audit with transparent USD pricing.

Enterprises and regulated industries requiring security, compliance, cloud, governance, or vendor audits on a defined cadence.

Organisations with offices across multiple APAC markets needing unified reporting with per-jurisdiction PDPO, PDPA, PIPL, DPDP, and ISO 27001 gap analysis.

Regional Delivery

Compliance-aware audit delivery across APAC

Each engagement maps findings to the privacy and security frameworks relevant to your operating markets. Explore Brocent's regional IT services for local delivery context.

IT audit delivery by region

SME Project Audit

Microsoft 365 & hybrid IT audit scope

Fixed-scope audit for organisations with fewer than 20 IT users. Covers identity, access, endpoints, assets, patching, backups, software control, and mobile security — with optional add-ons scoped during discovery.

👤

User Accounts & Authentication

Identity lifecycle and authentication hardening across Microsoft 365 and hybrid directories.

  • Microsoft 365 / Azure AD and local account inventory
  • Onboarding, offboarding, and dormant account review
  • MFA enforcement and password policy assessment
  • Privileged and service account management
  • SSO and Conditional Access policy review
🔐

Access Permissions & Authorization

Least-privilege and segregation-of-duties review across collaboration platforms.

  • RBAC across Microsoft 365, file shares, and applications
  • SharePoint, OneDrive, and Teams permission audit
  • Security group and dynamic group membership review
  • Guest and external user access
  • Segregation of Duties (SoD) for critical functions
🛡️

Endpoint Security & EDR

Microsoft Defender for Endpoint and Intune compliance posture.

  • Defender deployment and configuration status
  • EDR policies, ASR, and exploit protection
  • Intune device compliance policies
  • Antivirus effectiveness and update status
  • Firewall and host-based protection settings
💻

IT Asset Management

Complete hardware, software, and cloud asset visibility.

  • Endpoint, server, and peripheral inventory
  • Asset tagging, ownership, and lifecycle tracking
  • Azure and Microsoft 365 license inventory
  • Network device inventory
  • Asset disposal and decommissioning procedures
🔄

Security Patching & Vulnerability Management

Patch posture and vulnerability remediation process review.

  • Windows, macOS, and application patch status
  • Microsoft 365 / Azure patch management
  • Vulnerability scanning and remediation workflow
  • Patch policy and schedule review
💾

Data Backup & Recovery

Backup coverage, testing, and ransomware resilience.

  • OneDrive, Azure Backup, and third-party backup review
  • Backup frequency, retention, and restore testing
  • Server, endpoint, cloud, and email coverage
  • DR/BCP and ransomware protection (immutability, air-gap)
📦

Authorized Software & Application Control

Software approval, shadow IT, and license compliance.

  • Software approval process and policy
  • Approved application inventory
  • Application whitelisting / blacklisting
  • Shadow IT discovery
  • Microsoft 365 and software license compliance
📱

Mobile Device Security

Corporate and BYOD controls via Intune MDM/MAM.

  • MDM/MAM policy review via Intune
  • Corporate-owned and BYOD enrollment controls
  • Work profile separation and containerization
  • Remote wipe, encryption, and passcode requirements
  • Mobile threat defense capabilities
🌐

Network & Email Security

Perimeter and messaging controls often scoped as add-ons.

  • Network segmentation and Wi-Fi security
  • Anti-phishing and spoofing protection
  • DMARC / DKIM / SPF configuration
  • Microsoft 365 Secure Score review

Recommended add-ons — scoped during discovery

Section 9 areas and additional compliance frameworks can be included in Comprehensive or Premium tiers:

  • Network security (segmentation, Wi-Fi, VPN)
  • Email security (anti-phishing, DMARC/DKIM/SPF)
  • Cloud security posture (Microsoft 365 Secure Score)
  • Logging, monitoring, and SIEM capabilities
  • Physical security and office access controls
  • Security awareness training and phishing simulation results
  • Incident response plan and past incident review
  • PDPO, ISO 27001, GDPR, and other compliance gap analysis

SME Project Pricing

Fixed-price audit tiers for fewer than 20 IT users

All prices in USD. Effort estimate: 50–80 hours (senior consultant + support), including documentation, tool-based scans, interviews, and report writing.

Pricing shown is for SME engagements with fewer than 20 IT users. Enterprise and recurring programs are quoted separately.

Core Audit

USD 3,800

Sections 1–8 — full baseline coverage

  • User accounts, access, endpoints, and assets
  • Patching, backups, software control, and mobile
  • Written audit report with prioritised roadmap
  • Debrief session with your IT and management team
Request an audit quote

Comprehensive Audit

USD 4,900 – 5,500

Core + key Section 9 add-ons

  • Everything in Core Audit
  • Microsoft 365 Secure Score review
  • Email security (DMARC/DKIM/SPF)
  • Basic network / Wi-Fi review
  • Incident response plan review
  • PDPO / ISO 27001 gap analysis
Request an audit quote

Premium

USD 7,000+

Full scope + light remediation support

  • Everything in Comprehensive Audit
  • Full Section 9 scope as agreed
  • 4–8 hours post-audit consulting
  • Implementation support for top priorities
Request an audit quote

Full Audit Catalog

17 audit services across 7 categories

Beyond the SME project scope, Brocent delivers enterprise-grade security, compliance, cloud, governance, and specialist audits — each with defined frequency, deliverables, and industry fit.

I — Security Audits

1.Information Security Audit

Quarterly
  • Endpoint security baseline (EDR/antivirus, disk encryption, screensaver policy)
  • USB control policy execution audit
  • Remote access / VPN security audit
  • MFA coverage audit
  • Password policy and shared account audit
  • Office equipment security (printers, Wi-Fi)

Best for: All industries; especially organisations with formal security requirements

Deliverables: Audit report + remediation recommendation list

2.Penetration Testing & Vulnerability Assessment

Semi-annual / Annual
  • External and internal penetration testing
  • Web and mobile application testing
  • API security testing
  • Vulnerability scanning and risk rating
  • Social engineering testing

Best for: Internet, financial services, and external-facing systems

Deliverables: Penetration test report + vulnerability remediation plan

Learn more →

3.Log & Activity Audit

Monthly
  • Tier 1: Endpoint activity logs (login, USB, file copy, printing)
  • Tier 2: Data access logs (shares, databases, cloud storage)
  • Tier 3: Outbound transmission logs (email, web upload, IM, public links)
  • Tier 4: Permission change logs (admin, authorization, policy changes)
  • Anomaly detection rule effectiveness and alert response timeliness
  • Log integrity and anti-tamper verification

Best for: Family offices, financial institutions, law and consulting firms

Deliverables: Log audit report + anomaly behaviour analysis report

II — Compliance Audits

4.Compliance Audit

Annual / certification cycle
  • PDPO (Hong Kong) — collection, retention, subject rights, outsourcing
  • ISO 27001 information security management system audit
  • SOC 1 / SOC 2 audit support
  • GDPR compliance audit
  • MLPS 2.0 (China) compliance audit

Best for: Hong Kong enterprises, multinationals, financial and medical sectors

Deliverables: Compliance audit report + gap analysis + remediation roadmap

5.Data Protection & Privacy Audit

Semi-annual
  • Data classification and grading implementation
  • Data encryption policy execution
  • Data outbound channel control
  • External sharing and public link permission audit
  • Backup and recovery strategy audit
  • Data destruction process audit

Best for: All enterprises processing customer data

Deliverables: Data protection audit report + data map

III — Asset & Infrastructure Audits

6.IT Asset Audit

Quarterly
  • Full lifecycle audit (purchase, configuration, deployment, destruction, retirement)
  • Terminals, network equipment, servers/storage, and software licensing
  • Asset tagging and ownership verification

Best for: All enterprises; especially 50+ staff organisations

Deliverables: Asset ledger + asset audit report + license compliance report

7.Network & Infrastructure Audit

Semi-annual
  • Firewall rule audit and optimization
  • Network ACL and traffic baseline audit
  • VPN remote access control
  • NAS/backup strategy and recovery drill verification
  • Network equipment configuration audit

Best for: Enterprises with complex network architectures

Deliverables: Network audit report + topology optimization suggestions

IV — Cloud Platform & SaaS Audits

8.Cloud Platform Security Audit

Semi-annual
  • Layer 1: Account lifecycle (opening, allocation, change, disable)
  • Layer 2: Security baseline (MFA, passwordless, password standards)
  • Layer 3: Resource/cost management (isolation, tagging, cost tracking)
  • Layer 4: Monitoring/audit (anomaly detection, permission alarms)
  • Layer 5: Compliance/reporting (automated detection, report export)
  • AWS / Azure / GCP and production/test environment isolation

Best for: Cloud-native and heavy SaaS users

Deliverables: Cloud security audit report + architecture optimization suggestions

Learn more →

9.SaaS Application Audit

Quarterly
  • Microsoft 365 and Google Workspace security audit
  • Email security (SPF/DKIM/DMARC)
  • Anti-phishing and spam protection
  • Shared permission, abnormal login, and external sharing audits

Best for: All enterprises using collaboration platforms

Deliverables: SaaS security audit report + permission cleanup list

Learn more →

V — Personnel & Permission Audits

10.JML Permission Audit (Joiner / Mover / Leaver)

Quarterly
  • Joiner: account provisioning timeliness and least privilege
  • Mover: permission change timeliness and old permission recovery
  • Leaver: deactivation, full permission recovery, device return
  • SoD matrix audit, over-permission management, inactive account cleanup

Best for: Enterprises with high personnel turnover

Deliverables: JML audit report + permission optimization suggestions

11.Key Credential Management Audit

Semi-annual
  • Cloud infrastructure credentials (AWS root, domain registrars)
  • Production platform super-admin credentials
  • Encryption keys and MFA recovery codes
  • HSM backups and encrypted disk recovery keys
  • Financial system credentials and break-glass accounts
  • Dual-control and credential change approval processes

Best for: Financial institutions, family offices, technology companies

Deliverables: Key credential audit report + management process optimization

VI — Governance & Process Audits

12.Change Management Audit

Quarterly
  • ITIL change management process execution
  • Standard change database compliance
  • CAB effectiveness, change freezing, rollback plans, post-change review

Best for: Complex IT environments with frequent changes

Deliverables: Change management audit report + process optimization suggestions

13.Risk Assessment Audit

Quarterly
  • 5-dimensional risk matrix: business impact, security risk, rollback complexity, resource scheduling, technical feasibility
  • Risk classification accuracy and disposal progress audit

Best for: All enterprises; especially high-risk industries

Deliverables: Risk assessment report + risk disposal tracking list

14.Incident Response Audit

Quarterly
  • 7-step IR process: detection → escalation → notification → repair → recovery → review → improvement
  • Alarm response timeliness and RCA quality
  • Post-incident improvement implementation audit

Best for: Enterprises with security incident history

Deliverables: Incident response audit report + emergency process optimization

VII — Specialist Audits

15.File & Document Audit

Semi-annual
  • File access permission audit
  • Sensitive document classification and protection
  • Document version control and external transmission audit
  • Electronic document retention and destruction audit

Best for: Law firms, consulting, design, and document-intensive enterprises

Deliverables: Document audit report + permission cleanup list

16.Physical Security Audit

Annual
  • Server room access control audit
  • CCTV coverage and compliance audit
  • Video storage and access audit
  • Sensitive document storage environment security

Best for: Enterprises with server rooms or sensitive areas

Deliverables: Physical security audit report + rectification suggestions

17.Vendor & Third-Party Audit

Annual
  • Vendor security background assessment
  • Third-party access security audit
  • SLA execution status audit
  • Cross-border data compliance audit

Best for: Enterprises heavily dependent on third-party services

Deliverables: Vendor audit report + risk list

Recurring Audit Packages

Ongoing audit cadence — packages A to D

After a baseline assessment, many clients retain Brocent on a monthly, quarterly, semi-annual, or annual audit program. Packages combine catalog services into a predictable delivery rhythm.

A

Monthly Audit Package

Monthly
  • Log and abnormal behaviour audit
  • Alert response audit
  • Monthly management report

Enterprises requiring continuous monitoring

Monthly audit briefing + management dashboard

B

Quarterly Audit Package

Quarterly
  • Personnel permission (JML) audit
  • IT asset ledger audit
  • Security risk assessment
  • Quarterly management report

Standard choice for most enterprises

Quarterly comprehensive audit report + improvement tracking sheet

C

Semi-Annual Audit Package

Semi-annual
  • Penetration testing
  • Backup recovery drill
  • Cloud platform security audit
  • Semi-annual comprehensive report

Mid-to-large enterprises and high-risk industries

Semi-annual audit report + period summary

D

Annual Audit Package

Annual
  • Compliance audit
  • SOC / ISO certification audit support
  • Annual comprehensive security audit
  • Annual summary and next-year planning

All enterprises — annual compliance and management reporting

Annual audit white paper + next-year audit plan

What You Receive

Structured findings you can act on

50–80 hrs

Typical SME project effort

17

Audit services in full catalog

4

Recurring package cadences

8

APAC markets supported

  • Tool-based scans (Microsoft Defender, Secure Score, vulnerability tools)
  • Stakeholder interviews and documentation review
  • Risk-ranked written audit report with executive summary
  • Prioritised remediation roadmap (quick wins + strategic investments)
  • Debrief session with IT leadership and optional post-audit consulting

How We Work

A structured audit process — no surprises

01

Scoping & Access

Define audit boundary, access requirements, and regulatory frameworks. Agree read-only credentials and tool deployment plan.

02

Discovery & Interviews

Automated discovery, tool-based scans, and structured interviews across IT, security, and business stakeholders.

03

Analysis & Findings

Findings analysed against best practice and jurisdiction-specific compliance requirements. Gaps risk-rated by business impact.

04

Report & Roadmap

Full audit report delivered with prioritised improvement roadmap. Debrief with your IT and management team.

FAQ

Common questions about IT assessment & audit

Can you audit IT environments across multiple APAC countries? +

Yes. Brocent delivers unified scope and reporting with per-jurisdiction compliance notes for Hong Kong, Singapore, China, India, Taiwan, Malaysia, Vietnam, and Thailand. Remote discovery is combined with onsite work where required, coordinated through our regional service centers.

What is the difference between the SME project audit and the full catalog? +

The SME project audit is a fixed-price engagement (Core from USD 3,800) covering nine baseline domains for organisations with fewer than 20 IT users. The full catalog lists 17 specialist audit services for enterprise and regulated programs — quoted based on scope, frequency, and environment complexity.

How do recurring packages relate to a baseline audit? +

Most clients start with a baseline SME or Comprehensive audit, then move to Package B (quarterly) or Package D (annual) for ongoing governance. Package A suits continuous log monitoring; Package C adds penetration testing and cloud audits on a semi-annual rhythm.

Which compliance frameworks do you assess against? +

We map findings to PDPO (Hong Kong), PDPA (Singapore, Malaysia, Thailand), PIPL and MLPS 2.0 (China), DPDP Act (India), ISO 27001, SOC 1/2, GDPR, and CIS Controls — depending on your operating markets and industry requirements.

Ready to assess your IT environment?

Tell us your user count, operating markets, and compliance drivers. We will recommend the right SME tier, catalog services, or recurring package — and respond within one business day.