The influence of internal audit on information security effectiveness
This presentation is the property of its rightful owner.
Sponsored Links
1 / 11

The Influence of Internal Audit on Information Security Effectiveness PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on
  • Presentation posted in: General

The Influence of Internal Audit on Information Security Effectiveness. October 5, 2013. Perceptions of Internal Auditors Graham Gal With Paul Steinbart , Robyn Rascke , and Bill Dilla. Outline. Previous Work Method and Hypothesis Results Implications. Previous Work.

Download Presentation

The Influence of Internal Audit on Information Security Effectiveness

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The influence of internal audit on information security effectiveness

The Influence of Internal Audit on Information Security Effectiveness

October 5, 2013

Perceptions of Internal Auditors

Graham Gal

With

Paul Steinbart, Robyn Rascke, and Bill Dilla


Outline

Outline

  • Previous Work

  • Method and Hypothesis

  • Results

  • Implications


Previous work

Previous Work

  • Impact of monitoring on information security

    • Monitoring of controls reduces risk (R & M 2009)

    • Monitoring as an enabling process (ITGI 2012)

    • Relationship between IFOSEC and IA

      • Compliance with SOX (Wallace et al. 2011)

      • Infosec perceptions of effectiveness (Steinbart et al. 2013)

      • Frequency of interaction

      • Knowledge of domain

    • Incidents

    • Findings


Method and hypothesis tested

Method and Hypothesis Tested

  • Data Collection

    • Web Based Survey

  • Subjects -42

    • Certifications (98%)

    • Work Experience (74% > 10 years)

    • Type of firm

      • For profit 82%

      • Across industries 42% financial services 26% Health/Education/Professional Services


Hypothesis tested

Hypothesis Tested

  • H1: Internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions will be positively related to the number of audit findings related to information security.

  • H2: Internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions will be negatively related to the frequency of security incidents.

  • H3: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be positively associated with internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions.

  • H4: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be positively associated the number of audit findings related to information security.

  • H5: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be negatively associated with the number and severity of security incidents.


Relationship quality

Relationship Quality

Quality of Relationship between information security and internal audit

Members of information security and internal audit work together to assure information systems are secure and reliable

There is little friction between internal audit and information security

The relationship between internal audit and information security staff is close and personal

There is a good working relationship between internal audit and information security


The influence of internal audit on information security effectiveness

Frequency of Internal Audit Review of Info Security

Quality of Relationship between IA and Infosec

H3***

H1 & H2

H4 & H5

Outcomes (Findings and Security Incidents)

Top Management Support

***


Frequency of the review

Frequency of the Review

Internal Audit Reviews of Information Security Topics:

Business Continuity and Disaster Recovery

Identity and Access Management

Logging and System Monitoring

Firewalls and Other Network Access Devices

Encryption policies (including key management)

Backup Procedures

Change Management Controls

Security Policies


The influence of internal audit on information security effectiveness

Frequency of Internal Audit Review Financial Items

H3a***

Quality of Relationship between IA and Infosec

Frequency of Internal Audit Review Technical Items

H4a***

H1 & H2

H5a***

Outcomes (Findings)

Top Management Support

***


The influence of internal audit on information security effectiveness

Frequency of Internal Audit Review Financial Items

H3b***

Quality of Relationship between IA and Infosec

Frequency of Internal Audit Review Technical Items

H4b

H1 & H2

H5b

Outcomes (Incidents)

Top Management Support

***


Implications

Implications

  • Frequency improved perceptions of quality of relationship

    • Similar to our previous work

    • IA mean of overall frequency implies could be more involved

  • Impact on outcomes

    • Relationship is improved by frequency

    • No mediated impact on outcomes (findings or incidents)

    • Decomposed types of reviews

      • “Softer People Oriented” and “Technical” reviews impact findings

      • “Softer People Oriented” and “Technical” reviews do not impact incidents


  • Login