The relationship between internal audit and information security: An exploratory investigation PDF

Preview

Summary

International Journal of Accounting Information Systems 13 (2012) 228–243 Contents lists available at SciVerse ScienceDirect International Journal of Accounting Information Systems The relationship between internal audit and information security: An exploratory investigation Paul John Steinbart a,⁎,...

Description

Accelerat ing t he world's research.

The relationship between internal audit and information security: An exploratory investigation thuy ngthi

Cite this paper

Downloaded from Academia.edu 

Get the citation in MLA, APA, or Chicago styles

Related papers

Download a PDF Pack of t he best relat ed papers 

Are Recent Proact ive Approaches and Credible Cont rol Frameworks Superior t o Tradit ional M… Ozlem M I K E Y L L A Soper Int ernal cont rol framework for a compliant ERP syst em She-I Chang Brink's Modern Int ernal Audit ing diana ghozali

International Journal of Accounting Information Systems 13 (2012) 228–243

Contents lists available at SciVerse ScienceDirect

International Journal of Accounting Information Systems

The relationship between internal audit and information security: An exploratory investigation Paul John Steinbart a,⁎, Robyn L. Raschke b, 1, Graham Gal c, 2, William N. Dilla d, 3 a Department of Information Systems, W. P. Carey School of Business, Arizona State University, Box 874606, Tempe, AZ 85287-4606, United States b University of Nevada Las Vegas, 4505 S. Maryland Parkway Box 456003, Las Vegas, NV 89154-6003, United States c Isenberg School of Management, University of Massachusetts, Amherst, MA 01003, United States d Department of Accounting, College of Business, Iowa State University, 2330 Gerdin Business Building, Ames, IA 50011-1685, United States

a r t i c l e

i n f o

Article history: Received 27 May 2011 Accepted 1 June 2012 Keywords: Internal audit Information systems security Security behaviors

a b s t r a c t The internal audit and information security functions should work together synergistically: the information security staff designs, implements, and operates various procedures and technologies to protect the organization's information resources, and internal audit provides periodic feedback concerning effectiveness of those activities along with suggestions for improvement. Anecdotal reports in the professional literature, however, suggest that the two functions do not always have a harmonious relationship. This paper presents the first stage of a research program designed to investigate the nature of the relationship between the information security and internal audit functions. It reports the results of a series of semi-structured interviews with both internal auditors and information systems professionals. We develop an exploratory model of the factors that influence the nature of the relationship between the internal audit and information security functions, describe the potential benefits organizations can derive from that relationship, and present propositions to guide future research. © 2012 Elsevier Inc. All rights reserved.

1. Introduction Information security is necessary not only to protect an organization's resources, but also to ensure the reliability of its financial statements and other managerial reports (AICPA and CICA, 2008). Consequently, ⁎ Corresponding author. E-mail addresses: [email protected] (P.J. Steinbart), [email protected] (R.L. Raschke), [email protected] (G. Gal), [email protected] (W.N. Dilla). 1 Tel.: + 1 702 895 5756. 2 Tel.: + 1 413 545 5649. 3 Tel.: + 1 515 294 1685. 1467-0895/$ – see front matter © 2012 Elsevier Inc. All rights reserved. doi:10.1016/j.accinf.2012.06.007

P.J. Steinbart et al. / International Journal of Accounting Information Systems 13 (2012) 228–243

229

COBIT 4 (ITGI 2007), a normative framework for control and governance of information technology, stresses that it is a component of management's governance responsibilities to design and implement a costeffective information security program. As a result, IS researchers have begun to investigate various dimensions of information security governance. One stream of research has focused on measuring the value of investments in information security (Gordon and Loeb 2002; Gordon et al. 2003; Cavusoglu et al. 2004a; Iheagwara 2004; Bodin et al. 2005, 2008; Kumar et al. 2008). A second stream of research has examined stock market reactions to disclosures of information security initiatives (Gordon et al. 2010) and incidents (Campbell et al. 2003; Cavusoglu et al. 2004b; Ito et al. 2010). A third stream of research has examined ways to improve end user compliance with an organization's information security policies (D'Arcy et al. 2009; Bulgurcu et al. 2010; Johnston and Warkentin 2010; Siponen and Vance 2010; Spears and Barki 2010). Little attention, however, has been paid to the operational aspects of information security governance (Dhillon et al. 2007). Indeed, in their review of prior IS research on information systems security governance, Mishra and Dhillon (2006, 20) conclude that the “role of human actors and issues relating to management of people in the organization is not emphasized in popular definitions of information systems security governance.” In particular, they note that the view of information systems security governance used in prior research “does not allow incorporating the importance of the audit process of systems and management of security details at operational level of business process” (Mishra and Dhillon 2006, 21). In addition, a recent web-survey conducted by the Institute of Internal Auditors (IIA) recommends a partnership approach between internal audit and IT operations to improve returns on IT control activity investments (Phelps and Milne 2008). This lack of attention to the operational dimension of information security governance in general and to the specific relationship between the internal audit and information security functions is surprising, given the emphasis the normative literature places on these issues. For example, COBIT specifically prescribes that management should “establish and maintain an optimal co-ordination, communication and liaison structure between the IT function and … the corporate compliance group” (PO4.15). In addition, “the control environment should be based on a culture that … encourages cross-divisional co-operation and teamwork …” (PO6.1). Furthermore, it is important to “obtain independent assurance (internal or external) about the conformance of IT with … the organization's policies, standards, and procedures …” (ME 4.7). In most organizations, both the information systems and internal audit functions are involved with information security. The IS function has a primary responsibility for designing, implementing, and maintaining a cost-effective information security program. Internal audit provides an independent review and analysis of the organization's information security initiatives. Ideally, the feedback provided by internal audit can be used to improve the overall effectiveness of the organization's information security. These two functions should work together synergistically to maximize the effectiveness of an organization's information systems security program. Indeed, Wallace et al. (2011) provide evidence that the level of cooperation between the internal audit and information security functions is positively associated with the organization's level of compliance with the IT-related internal control requirements of the Sarbanes–Oxley Act. Despite the importance of and the value that may be derived from the relationship between internal audit and information security, there has been no empirical research investigating how well the two functions work together. This paper reports the results of a study that takes the first steps to fill this gap in the literature. We conducted a series of semi-structured interviews with both internal auditors and information systems security professionals to identify the factors that determine the nature of the relationship between the internal audit and information security functions. The dearth of prior research makes such an exploratory approach appropriate. Like case studies, semi-structured interviews with multiple organizations provide an opportunity to explore an under-researched topic and develop research propositions worthy of further investigation (Yin 2003). The remainder of this paper is organized as follows. Section 2 reviews prior literature and presents a model of how the internal audit and information security functions can work together to help organizations achieve a cost-effective level of information security. Section 3 describes the structured interview method and provides demographic background about the interviewees and the organizations for which they worked. Section 4 presents the common themes that emerged from the interviews. Section 5 concludes the paper by developing a model of the factors that affect the relationship between the internal 4

All references are to COBIT v4.1; COBIT version 5 was not released until after the research was conducted.

230

P.J. Steinbart et al. / International Journal of Accounting Information Systems 13 (2012) 228–243

Fig. 1. Relationships among different types of information security controls (adapted from Ransbotham and Mitra 2009, 131).

audit and information security functions and a set of propositions that can be used to guide further research on this topic. 2. Background Organizations employ a variety of tools and procedures to provide a desired level of information security. Accountants and auditors typically categorize controls as being preventive, detective, or corrective in nature (Ratliff et al. 1996). Firewalls, intrusion prevention systems, physical and logical access controls, device configuration, and encryption are widely used methods used to prevent undesirable events. Intrusion detection systems, vulnerability scans, penetration tests, and logs are examples of controls designed to detect potential problems and security incidents. Incident response teams, business continuity management, and patch management systems are commonly used examples of controls designed to correct problems that have been identified. Ransbotham and Mitra (2009) have developed an alternative way to categorize information securityrelated controls based on the stage during an attempted information security compromise in which the control is most likely to be effective. Fig. 1 shows Ransbotham and Mitra's (2009) hypothesized relationships among three categories of information security controls. Configuration controls include using methods such as vulnerability scans and patch management systems, which reduce the likelihood that attackers will succeed in identifying weaknesses to exploit. Access controls include tools such as firewalls, intrusion prevention systems, physical access controls, and authentication and authorization procedures, which are used to reduce the likelihood of an attacker successfully obtaining unauthorized access to a system. Monitoring controls include documentation and log analysis, which function to detect problems and provide information necessary for remediation.5 According to Ransbotham and Mitra (2009), the three types of information systems security controls differ in their objectives. Configuration controls directly reduce the likelihood of an information security compromise by blocking targeted reconnaissance efforts. Access controls also directly reduce the likelihood of compromise by blocking unauthorized attempts to access the system. In contrast to the other two categories, monitoring controls do not directly reduce the risk of an information security compromise. Instead, monitoring controls indirectly reduce the risk of an incident by improving the effectiveness of the other two categories of controls. For example, proper documentation reduces the risk of overlooking key systems when altering default configurations, employing patches, deploying firewalls, and implementing other types of security controls. Similarly, log analysis can help identify the causes of incidents; such knowledge can then be used to modify existing controls to reduce the risk that a similar attack will succeed in the future. Ransbotham and Mitra (2009) focus on the role of the information systems security function in implementing all three types of controls. However, as normative guidance (IIA, 2005; ITGI, 2007: CoBiT 5 Ransbotham and Mitra use the term “audit controls” to refer to this concept. Given our focus on the role of internal audit, we adopt the term “monitoring” controls to avoid confusion.

P.J. Steinbart et al. / International Journal of Accounting Information Systems 13 (2012) 228–243

231

sections DS 5.5 and ME2) suggests, the organization's internal audit function should periodically assess the effectiveness of internal controls, including those related to information systems security. Therefore, Ransbotham and Mitra's (2009) logic concerning the value of monitoring controls suggests by extension that internal audit review can improve the effectiveness of an organization's information security efforts. However, Ransbotham and Mitra (2009) did not test, but only postulated the potential value of monitoring controls in improving the effectiveness of other information security procedures. Moreover, their model implicitly assumes the existence of a feedback process that uses the information collected by monitoring controls to modify and improve the organization's configuration and access controls. Feedback from internal audits can improve the effectiveness and efficiency of information security processes only to the extent that individuals responsible for the security function take corrective actions in response to any audit findings or recommendations. Information security managers' willingness to respond to an internal audit report may be determined, at least in part, by the quality of the relationship they have with the internal audit function. Although a good relationship between the internal audit and information security functions has been found to improve an organization's level of compliance with the IT-related internal control requirements of the Sarbanes–Oxley Act (Wallace et al. 2011), there is also abundant evidence that the relationship between internal audit and other functions within organizations is often strained (Tucci 2009; Dittenhofer et al. 2010). Thus, it is important to understand the factors that influence the nature of the relationship between the internal audit and information security functions. Miscommunication between internal audit and information security may have a negative impact on the relationship between these functions. Indeed, there is considerable evidence that communication problems which reflect differences in background and knowledge underlie many of the disagreements that often occur between CFOs and CIOs (CFO Europe Research Services 2008). Differences in department size, culture, resources, and unit management's attitudes are other potential causes of relationship problems between organizational units (Smith et al. 2010). Finally, differences in access to top management may influence the relationship between internal audit and information security. The internal audit function typically reports functionally to the Board of Directors and administratively to senior management (IIA 2009). In contrast, the information systems security function often does not have a direct reporting relationship to top management, but instead usually reports to the head of the IT function (e.g., to the CIO) (Bussey 2011). Thus, anecdotal reports of sub-optimality in relationships between the internal audit and information systems security functions may be due to organizational characteristics that affect the quality of communications. In order to explore this possibility and identify other potential factors that may hinder or advance the development of optimal cooperation between the internal audit and information systems security functions, we conducted a series of semi-structured interviews with both internal auditors and information systems security professionals. 3. Research method In order to conduct an initial examination of the factors that influence the nature of the relationship between an organization's information security and internal audit functions, we conducted a set of structured interviews at four organizations in the education industry. Appendix A presents the list of questions we asked and the underlying source motivation for each topic. Table 1 provides descriptive demographic information about our sample. We chose to focus on educational institutions for four reasons. First, we wanted to explore the relationship between internal audit and information security in a “typical” industry rather than one most likely to employ cutting-edge best practices. Therefore, we ruled out industries where information security is a dominant concern, such as defense contractors and financial services firms. Second, educational institutions have a diverse user base where both employees (faculty and staff) and customers (students) make substantial use of the entity's user applications. Thus, educational institutions must address the complex set of information security challenges that arise when access to the corporate network is provided to non-employees. Moreover, one set of employees (faculty) represent a particularly interesting user group because of their high degree of autonomy and independence (Hawkey et al., 2008; Schaffhauser, 2010). Third, educational institutions must comply with a number of different regulatory requirements. All are subject to the privacy-related issues delineated in the Family Educational Rights and Privacy Act (FERPA). They are also subject to the provisions of the Gramm–Leach–Bliley Act (GLBA) regarding processing of financial transactions and must comply with the

232

P.J. Steinbart et al. / International Journal of Accounting Information Systems 13 (2012) 228–243

Table 1 Descriptive information about interviewed organizations. Institution A

Institution B

Institution C

Institution D

Type

Public university

Public university

Private university

Size (approximate number of students) Size (approximate number of faculty) Number of campuses Size of IT (staff) Number of IT staff dedicated to information security Title of security professional interviewed

27,000

28,000

Private, for-profit university 19,000

1100

1700

1800

335

5 200 3

1 200 12

11 50 1

1 50 3

Information security manager

Chief Information Security Officer (CISO)

Security manager

IT auditor

Internal audit manager

3

0

Internal audit senior manager 2

Chief Information Technology Officer (CITO) None — internal audit function outsourced N/A

Internal audit and information security organized by campus and have direct contact with each other

Internal audit reports to board of regents; no formal channels of communication between internal audit and information security

Information security reports to CIO; CIO and head of internal audit have close personal relationship

Title of internal auditor interviewed Number of internal audit staff with IT audit expertise Formal reporting channels

5600

Internal audit is outsourced, so no informal communications between internal audit and information security functions

PCI-DSS standards for credit card transactions. Finally, educational institutions are continually addressing changes to their business processes. For example, as educational technologies evolve, institutions must address security issues involved with delivering course content and maintaining confidential student records online. All of these factors make educational institutions a rich setting in which to begin investigating the nature of the relationship between the information security and internal audit functions. Each interview took place at the interviewee's wo...