The influence of a good relationship between the internal audit and information security functions on information security outcomes

Paul John Steinbart; Robyn L. Raschke; Graham Gal; William N. Dilla

doi:10.1016/j.aos.2018.04.005

The influence of a good relationship between the internal audit and information security functions on information security outcomes

Paul John Steinbart, Robyn L. Raschke, Graham Gal, William N. Dilla

Information Systems

Research output: Contribution to journal › Article › peer-review

66 Scopus citations

Abstract

Given the increasing financial impact of cybercrime, it has become critical for companies to manage information security risk. The practitioner literature has long argued that the internal audit function (IAF) can play an important role both in providing assurance with respect to information security and in generating insights about how to improve the organization's information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of noncompliance, as well as on the numbers of security incidents detected, both before and after they caused material harm to the organization. In addition, we find that higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions.

Original language	English (US)
Pages (from-to)	15-29
Number of pages	15
Journal	Accounting, Organizations and Society
Volume	71
DOIs	https://doi.org/10.1016/j.aos.2018.04.005
State	Published - Nov 2018

Keywords

Governance
IT audit
Information security
Internal audit
Risk management
Security metrics

ASJC Scopus subject areas

Accounting
Sociology and Political Science
Organizational Behavior and Human Resource Management
Information Systems and Management

Access to Document

10.1016/j.aos.2018.04.005

Cite this

@article{9a0f684992674897a35813f162561693,

title = "The influence of a good relationship between the internal audit and information security functions on information security outcomes",

abstract = "Given the increasing financial impact of cybercrime, it has become critical for companies to manage information security risk. The practitioner literature has long argued that the internal audit function (IAF) can play an important role both in providing assurance with respect to information security and in generating insights about how to improve the organization's information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of noncompliance, as well as on the numbers of security incidents detected, both before and after they caused material harm to the organization. In addition, we find that higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions.",

keywords = "Governance, IT audit, Information security, Internal audit, Risk management, Security metrics",

author = "Steinbart, {Paul John} and Raschke, {Robyn L.} and Graham Gal and Dilla, {William N.}",

note = "Funding Information: We thank the selection committee of the first Journal of Information Systems Research Conference for supporting our proposal for providing access to professional participants. We also thank the IMTA section of the AICPA, especially Susan Pierce, for their assistance in obtaining the data analyzed in this manuscript. In addition, we appreciate the comments from the participants in the Rutgers University Accounting Research Workshop and the 2016 Dewald Roode Workshop on Information Security and Privacy on earlier versions of this manuscript. Finally, we want to acknowledge the anonymous reviewers and the editor for their feedback and assistance in improving this paper. Of course, we are accountable for any remaining errors. Publisher Copyright: {\textcopyright} 2018 Elsevier Ltd",

year = "2018",

month = nov,

doi = "10.1016/j.aos.2018.04.005",

language = "English (US)",

volume = "71",

pages = "15--29",

journal = "Accounting, Organizations and Society",

issn = "0361-3682",

publisher = "Elsevier Limited",

}

TY - JOUR

T1 - The influence of a good relationship between the internal audit and information security functions on information security outcomes

AU - Steinbart, Paul John

AU - Raschke, Robyn L.

AU - Gal, Graham

AU - Dilla, William N.

N1 - Funding Information: We thank the selection committee of the first Journal of Information Systems Research Conference for supporting our proposal for providing access to professional participants. We also thank the IMTA section of the AICPA, especially Susan Pierce, for their assistance in obtaining the data analyzed in this manuscript. In addition, we appreciate the comments from the participants in the Rutgers University Accounting Research Workshop and the 2016 Dewald Roode Workshop on Information Security and Privacy on earlier versions of this manuscript. Finally, we want to acknowledge the anonymous reviewers and the editor for their feedback and assistance in improving this paper. Of course, we are accountable for any remaining errors. Publisher Copyright: © 2018 Elsevier Ltd

PY - 2018/11

Y1 - 2018/11

N2 - Given the increasing financial impact of cybercrime, it has become critical for companies to manage information security risk. The practitioner literature has long argued that the internal audit function (IAF) can play an important role both in providing assurance with respect to information security and in generating insights about how to improve the organization's information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of noncompliance, as well as on the numbers of security incidents detected, both before and after they caused material harm to the organization. In addition, we find that higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions.

AB - Given the increasing financial impact of cybercrime, it has become critical for companies to manage information security risk. The practitioner literature has long argued that the internal audit function (IAF) can play an important role both in providing assurance with respect to information security and in generating insights about how to improve the organization's information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of noncompliance, as well as on the numbers of security incidents detected, both before and after they caused material harm to the organization. In addition, we find that higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions.

KW - Governance

KW - IT audit

KW - Information security

KW - Internal audit

KW - Risk management

KW - Security metrics

UR - http://www.scopus.com/inward/record.url?scp=85047437309&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85047437309&partnerID=8YFLogxK

U2 - 10.1016/j.aos.2018.04.005

DO - 10.1016/j.aos.2018.04.005

M3 - Article

AN - SCOPUS:85047437309

SN - 0361-3682

VL - 71

SP - 15

EP - 29

JO - Accounting, Organizations and Society

JF - Accounting, Organizations and Society

ER -

The influence of a good relationship between the internal audit and information security functions on information security outcomes

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this