The influence of a good relationship between the internal audit and information security functions on information security outcomes

Paul Steinbart, Robyn L. Raschke, Graham Gal, William N. Dilla

Research output: Contribution to journalArticle

8 Scopus citations

Abstract

Given the increasing financial impact of cybercrime, it has become critical for companies to manage information security risk. The practitioner literature has long argued that the internal audit function (IAF) can play an important role both in providing assurance with respect to information security and in generating insights about how to improve the organization's information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of noncompliance, as well as on the numbers of security incidents detected, both before and after they caused material harm to the organization. In addition, we find that higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions.

Original languageEnglish (US)
JournalAccounting, Organizations and Society
DOIs
StateAccepted/In press - Jan 1 2018

Keywords

  • Governance
  • Information security
  • Internal audit
  • IT audit
  • Risk management
  • Security metrics

ASJC Scopus subject areas

  • Accounting
  • Sociology and Political Science
  • Organizational Behavior and Human Resource Management
  • Information Systems and Management

Fingerprint Dive into the research topics of 'The influence of a good relationship between the internal audit and information security functions on information security outcomes'. Together they form a unique fingerprint.

  • Cite this