← Search

The influence of a good relationship between the internal audit and information security functions on information security outcomes

Paul John Steinbart1; Robyn L. Raschke2; Graham Gal3; William N. Dilla4

1 Arizona State University · 2 University of Nevada, Las Vegas · 3 University of Massachusetts Amherst · 4 Iowa State University

Accounting, Organizations and Society 2018

Given the increasing financial impact of cybercrime, it has become critical for companies to manage information security risk. The practitioner literature has long argued that the internal audit function (IAF) can play an important role both in providing assurance with respect to information security and in generating insights about how to improve the organization's information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of noncompliance, as well as on the numbers of security incidents detected, both before and after they caused material harm to the organization. In addition, we find that higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions.

DOI
10.1016/j.aos.2018.04.005
Volume
71
Pages
15-29
Language
en
Export
BibTeX
Sources
semanticscholar openalex crossref