The Influence of Internal Audit on

jiggerbarnacleΚινητά – Ασύρματες Τεχνολογίες

24 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

83 εμφανίσεις

The Influence of Internal Audit on
Information Security effectiveness:

Perceptions of Internal Auditors

Ray Henrickson CA CPA
CISA

VP Information Systems and Technology Audit

The Bank of Nova Scotia

2

Background


System environment


Complex, integrated systems


Millions of transactions a day


+1,000 systems


Multiple IT channels


+150 people in information security area


Large security budget


Comprehensive and sophisticated security controls


Industry cooperation and collaboration


Business environment


Highly desirable target


Extensive collaboration with third parties


The bad guys are really clever

3


Tried to link perceptions of relationship to quantitative
outcomes


Sample Population


Majority of respondents are in regulated businesses. Although no
indication of the size of the organization or the size of the security
function/budget.


Demographics


professionally experienced and skilled audit
population.


The study recognized and effectively dealt with inherent
limitations


small sample size, cross sectional vs longitudinal
study

Positives

4


Relatively small number of findings and incidents reported


Number of security
-
related audit findings had decreased over
the past three years


Number of security incidents in the past year had slightly
decreased from what it was three years earlier


Surprises

5


Quality of Relationship

Audit findings



Security Incidents




Frequency of Audit

Relationship




Frequency of Audit

Audit findings



Security Incidents


Study Results

6


Quality of the relationship


The factors that underpin


Frequency of audit


Difficult to link some of the identified
areas to security


Security incident


What is a security incident?


malware, identify theft, phishing, code level deficiency such as cross
-
site scripting of SQL
injection, loss/theft of asset, man
-
in
-
the
-
middle/browser, DDOS, mobile computing,
economic espionage, end user computing, segregation of duties, etc.


Audit finding


What is the significance? What is the root
cause of the finding


not doing the right thing or not doing
things right?


Consider


Definitions

7


To understand the auditors’ views on the choices and risk
ranking of security vs other functional areas


To assess the significance of the security issues and audit
findings


Not all issues and findings are of equal significance


Consider


Risk

8


Quality of relationship and frequency of audit don’t seem to
relate to number of findings or number of security incidents
but may be related to something else:


Audit efficiency


Audit scope and objectives


Relevance of issues and recommendations


Quality of reporting


Supplemental analysis confirmed it is easier to find issues with
the people than the technology.

My Takeaways

9


No conclusion on how Internal Audit positively influences the
effectiveness of information security


Results may indicate that auditor independence and
objectivity is not influenced by Quality of Relationship or
Frequency of audit


Both Audit and Information Security are working
independently and collaboratively towards same objective


improved information security


My Takeaways

10

Value of the Work


Identifies some factors associated with relationships in the
audit environment.


Findings likely apply to other audit relationships.


Suitable as a starting point for future studies by IS Assurance
academics

11

Future Research


Use different performance metrics


Clarity of definition of terms


More information on the size of the organization, the size of
the security and the audit functions


More granular information on nature and significance of audit
issues


Consider the organization’s assessment of risk


Validate the survey in advance with an internal audit
practitioner