دانلود رایگان مقاله انگلیسی عوامل مرتبط با بازرسی امنیتی / سایبری با استفاده از حسابرسی داخلی - امرالد 2018

Abstract

Purpose – The purpose of the study is to explore the factors associated with the extent of security/ cybersecurity audit by the internal audit function (IAF) of the firm. Specifically, the authors focused on whether IAF/CAE (certified audit executive [CAE]) characteristics, board involvement related to governance, role of the audit committee (or equivalent) and the chief risk officer (CRO) and IAF tasked with enterprise risk management (ERM) are associated with the extent to which the firm engages in security/cybersecurity audit. Design/methodology/approach – For analysis, the paper uses responses of 970 CAEs as compiled in the Common Body of Knowledge database (CBOK, 2015) developed by the Institute of Internal Auditors Research Foundation (IIARF). Findings – The results of the study suggest that the extent of security/cybersecurity audit by IAF is significantly and positively associated with IAF competence related to governance, risk and control. Board support regarding governance is also significant and positive. However, the Audit Committee (AC) or equivalent and the CRO role are not significant across the regions studied. Comprehensive risk assessment done by IAF and IAF quality have a significant and positive effect on security/cybersecurity audit. Unexpectedly, CAEs with security certification and IAFs tasked with ERM do not have a significant effect on security/cybersecurity audit; however, other certifications such as CISA or CPA have a marginal or mixed effect on the extent of security/cybersecurity audit. Originality/value – This study is the first to describe IAF involvement in security/cybersecurity audit. It provides insights into the specific IAF/CAE characteristics and corporate governance characteristics that can lead IAF to contribute significantly to security/cybersecurity audit. The findings add to the results of prior studies on the IAF involvement in different IT-related aspects such as IT audit and XBRL implementation and on the role of the board and the audit committee (or its equivalent) in ERM and the detection and correction of security breaches.

Discussion and conclusion

The purpose of the study is to explore the factors associated with the extent of security/ cybersecurity audits by the IAF. Using responses from 970 CAEs across different regions represented in CBOK (2015) database, it was determined that the extent of security/ cybersecurity audit by the IAF in firms is not uniform across different regions and countries. Different factors play different roles across the regions and countries with regard to the prevalence of security/cybersecurity audit. Descriptive statistics and univariate analysis of data suggest that IAFs across different regions significantly differ in their involvement with security/cybersecurity risks. For example, the number of CAEs with security certification is far lower in our sample when compared to traditional certifications such as CPA or CIA. This result is both expected and to a degree unexpected. It is expected in the sense that security is not direct area of responsibility for CAEs to deal with; however, in view of the rising tide of cyberattacks, IAFs are expected by stakeholders to play a leading role in cybersecurity risk management programs in organizations. Nevertheless, the data indicate that CAEs are not still well prepared to lead this role, as reflected by the low percentage of CAEs with pertinent security certifications. This finding mirrors that of Steinbart et al. (2012, 2013), in which they documented that when internal auditors possess detailed technical expertise about information security, they are able to develop deeper relationships with the IS security function. However, certification remains significantly and positively associated with IT audit (Abdolmohammadi and Boss, 2010).