Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Influence of Internal Audit on Information Security Effectiveness October 5, 2013 Perceptions of Internal Auditors Graham Gal With Paul Steinbart,

Published byTyrell Homsey Modified over 9 years ago

Similar presentations

Presentation on theme: "The Influence of Internal Audit on Information Security Effectiveness October 5, 2013 Perceptions of Internal Auditors Graham Gal With Paul Steinbart,"— Presentation transcript:

1 The Influence of Internal Audit on Information Security Effectiveness October 5, 2013 Perceptions of Internal Auditors Graham Gal With Paul Steinbart, Robyn Rascke, and Bill Dilla

2 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Outline Previous Work Method and Hypothesis Results Implications

3 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Previous Work Impact of monitoring on information security – Monitoring of controls reduces risk (R & M 2009) – Monitoring as an enabling process (ITGI 2012) – Relationship between IFOSEC and IA Compliance with SOX (Wallace et al. 2011) Infosec perceptions of effectiveness (Steinbart et al. 2013) Frequency of interaction Knowledge of domain – Incidents – Findings

4 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Method and Hypothesis Tested Data Collection – Web Based Survey Subjects -42 – Certifications (98%) – Work Experience (74% > 10 years) – Type of firm For profit 82% Across industries 42% financial services 26% Health/Education/Professional Services

5 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Hypothesis Tested H1: Internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions will be positively related to the number of audit findings related to information security. H2: Internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions will be negatively related to the frequency of security incidents. H3: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be positively associated with internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions. H4: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be positively associated the number of audit findings related to information security. H5: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be negatively associated with the number and severity of security incidents.

6 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Relationship Quality Quality of Relationship between information security and internal audit Members of information security and internal audit work together to assure information systems are secure and reliable There is little friction between internal audit and information security The relationship between internal audit and information security staff is close and personal There is a good working relationship between internal audit and information security

7 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Frequency of Internal Audit Review of Info Security Quality of Relationship between IA and Infosec Top Management Support Outcomes (Findings and Security Incidents) H3 *** H1 & H2 H4 & H5 ***

8 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Frequency of the Review Internal Audit Reviews of Information Security Topics: Business Continuity and Disaster Recovery Identity and Access Management Logging and System Monitoring Firewalls and Other Network Access Devices Encryption policies (including key management) Backup Procedures Change Management Controls Security Policies

9 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Frequency of Internal Audit Review Financial Items Quality of Relationship between IA and Infosec Top Management Support Outcomes (Findings) H3a *** H1 & H2 H4a *** Frequency of Internal Audit Review Technical Items H5a *** ***

10 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Frequency of Internal Audit Review Financial Items Quality of Relationship between IA and Infosec Top Management Support Outcomes (Incidents) H3b *** H1 & H2 H4b Frequency of Internal Audit Review Technical Items H5b ***

11 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Implications Frequency improved perceptions of quality of relationship – Similar to our previous work – IA mean of overall frequency implies could be more involved Impact on outcomes – Relationship is improved by frequency – No mediated impact on outcomes (findings or incidents) – Decomposed types of reviews “Softer People Oriented” and “Technical” reviews impact findings “Softer People Oriented” and “Technical” reviews do not impact incidents

Download ppt "The Influence of Internal Audit on Information Security Effectiveness October 5, 2013 Perceptions of Internal Auditors Graham Gal With Paul Steinbart,"

Similar presentations

Intelligence Step 5 - Capacity Analysis Capacity Analysis Without capacity, the most innovative and brilliant interventions will not be implemented, wont.

Intelligence Step 5 - Capacity Analysis Capacity Analysis Without capacity, the most innovative and brilliant interventions will not be implemented, wont.
CONTROLLER/ BACK OFFICE Roles Qualifications Success Metrics 10-20 years working experience in similar positions CPA or equivalent Knowledge of BPO industry.

CONTROLLER/ BACK OFFICE Roles Qualifications Success Metrics years working experience in similar positions CPA or equivalent Knowledge of BPO industry.
DMTF Cloud Standards Cloud Management & OVF Update to ITU-T SG13.

DMTF Cloud Standards Cloud Management & OVF Update to ITU-T SG13.
Dr Igors Ludboržs Member of the European Court of Auditors (ECA) INTOSAI Working Group on Public Debt Helsinki, 11 September 2012.

Dr Igors Ludboržs Member of the European Court of Auditors (ECA) INTOSAI Working Group on Public Debt Helsinki, 11 September 2012.
Security and Personnel

Security and Personnel
Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,

Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Operational Auditing--Spring 2008 1 Operational Auditing Spring 2008 Professor Bill O’ Brien.

Operational Auditing--Spring Operational Auditing Spring 2008 Professor Bill O’ Brien.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Information Fusion in Continuous Assurance Discussed by Dr. Graham Gal University of Massachusetts at Amherst University of Waterloo Conference on Information.

Information Fusion in Continuous Assurance Discussed by Dr. Graham Gal University of Massachusetts at Amherst University of Waterloo Conference on Information.
Operational Auditing Fall 2006 Professor Bill O’ Brien.

Operational Auditing Fall 2006 Professor Bill O’ Brien.
Operational Auditing Spring 2002 Professor Bill O’ Brien.

Operational Auditing Spring 2002 Professor Bill O’ Brien.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Operational Auditing Spring 2005 Professor Bill O’ Brien.

Operational Auditing Spring 2005 Professor Bill O’ Brien.
SOX Compliance Don’t fight what can help you. Skye L. Rogers  9 Years experience working in Systems & Operations in various roles.  4 years focusing.

SOX Compliance Don’t fight what can help you. Skye L. Rogers  9 Years experience working in Systems & Operations in various roles.  4 years focusing.
Information Technology Service Management

Information Technology Service Management

Similar presentations

Ads by Google