1 / 41

Severin Grabski Michigan State University

Discussion of: “The Relationship between Internal Audit and Information Security: An Exploratory Investigation” . Severin Grabski Michigan State University. 2011 UWCISA Symposium Toronto, Canada. Stated Objective.

lora
Télécharger la présentation

Severin Grabski Michigan State University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Discussion of: “The Relationship between Internal Audit and Information Security: An Exploratory Investigation” Severin Grabski Michigan State University 2011 UWCISA Symposium Toronto, Canada

  2. Stated Objective Investigate the nature of the relationship between information security and internal audit • Important – Critical component of Corporate Governance • Motivation needs to be more than “no empirical research exists”

  3. Tasks Accomplished • Established that the IA role has been generally ignored in the literature • Conducted semi-structured interviews with IA and ISsecurity professionals • Identified factors that impact the nature of the relationship between IA and IS functions

  4. But… • Had sense of concern

  5. Proposed Model

  6. IA vs. IS Control View • IA Control objective • Preventive • Detective • Corrective • IA Review • Monitoring – Detective • IS Stage of attempted penetration • Configuration – (Preventive) • Access - (Preventive) • Monitoring – (Detective) • What’s missing? • What happened to Corrective?

  7. Proposed Model

  8. But… “…no empirical research investigating how well the two functions work together.” (p.5) Proposed Model - • Never addresses Role of IA and IS • How Should IA and IS Interact? • Model only shows tasks and how they are reviewed • Is there Theory for this Interaction?

  9. SOX & IT Governance • Case Study of Charles Schwab Corporation (Damianides 2005) • Top management sought improved IT Governance Framework • IA recommended COBIT • Improve IS controls • Enhance IT & Business Processes • Map audits to COBIT • On a high level, this shows units working together

  10. Proposed Model

  11. But… (p. 131)??

  12. So How Did This Proposed Model Occur?

  13. From Here! Includes Monitoring & Documentation

  14. Basis for Proposed Model

  15. But… • Ransbotham & Mitra (2009) Model is about external attacks on an organization – information security compromise process • How does this relate to “Internal” Controls? • How does this relate to securing the system from the “Innocent Incompetent”?

  16. Proposed Model

  17. So How Did We Get Figure 3?

  18. Proposed Model NEVER TESTED!

  19. I Got Lost! I Need a Map I Need a THEORY

  20. Where’s the Theory? • While there has not been any study of IA and IS working together, there has been many studies of organizations and institutional structure • Possible theory – Neo-institutional Theory

  21. Neo-institutional Theory • Should be used for studying IT security issues in organizations (Bjorck 2004) • Can be used to explain differences in formal and actual security behavior • Can be used to explain why formal security structures are created and not fully implemented • Can be used to explain how institutional factors influence the behavior of individuals (Hu et al. 2007)

  22. Neo-institutional Theory • Organizations are structured by phenomena in institutional environment and become isomorphic with them • Two parts Institutionalism Isomorphism

  23. Institutionalism • Process in which components of formal structure become accepted, and are seen as appropriate and needed • Decision to adopt depends upon whether the innovation will improve internal processes

  24. Isomorphism • Explains how institutional structures and practices propagate among organizations • Coercive Isomorphism (External pressure) • Mimetic Isomorphism (Imitation) • Software selection (Tingling & Parent 2002) • Normative Isomorphism (Professionalism) • Mediating role of top management in ES assimilation (Liang et al. 2007)

  25. Benefit of Theory • Guide formulation of constructs & interview questions • Focus does not need to be on testing neo-institutional theory • Focus can be on extending theory • Could still use case-based approach

  26. Research Instrument • Discuss “perceived inequality” • Never appears in research instrument • What does appear is “Working Relationship” • Suggest that “Organizational Characteristics” impact relationship • “Working Relationship,” “Audit Demographics,” and “IT Demographics” are used

  27. Setting - Education • Concern about Security • More or less in Education than Business? • Many Laws (FERPA, GLBA, PCI, HIPPA, States also have laws/penalties for data disclosure, etc.) impact Universities • Manuscript states that security was not an overarching strategic factor. • How can security not be a major concern?

  28. Research Method • Good Approach • Did the participants get the opportunity to review the transcripts and correct errors/omissions? • Need to state in the Research Method section that an IA and IS security person were interviewed at institutions that did not outsource IA (information is only in Table 1)

  29. Findings • Technical Knowledge • Tech knowledge  deeper relationships • Or is it that they know the correct questions to ask and can bring value to the IS team? • Communication Skills • If IA explains what & why, than IS is cooperative • Auditor’s Perception of the Role of IA vis-à-vis Information Security

  30. Findings • Does Technical Knowledge Result in Improved Communication Skills & Result in Increased Cooperation with IS?

  31. IS perceived top management to be very supportive of information security but, adequate resources were not necessarily forthcoming (in Not For Profit)

  32. Findings • How can IS and IA work smarter with fewer (limited) resources?

  33. For Profit • Budgetary Support • Incentive for Audit Compliance • Why? Security Issues Related to Financial Results CEO, CFO IT Corporate Governance

  34. Relationships Matter IA IS IA IS IS IS

  35. Relationships Matter • A collaborative relationship between the internal audit and information systems security functions increases user compliance, improves the effectiveness of internal audit (P6 A&B) • More interesting question: How is a collaborative relationship established?

  36. Additional Survey • Interviewed CIO • IA was “bad guy” in the past • IA had stringent standards • Didn’t understand that IT Security is situational (practical, unsecure to totally secure but impractical) • SSN need high security • Other stuff can be wide-open • Had to work with IA to be “practical” • Could not apply all of COBIT all the time! • IA acts like an extra set of eyes & ears • Working smarter

  37. Additional Survey • IA did not want to disclose standards used in audit • Releasing audit standards viewed as “teaching to the test” • Needed to get shared understanding of standards  good practices • IS can now share these good practices • Facilitates audit • IS can help invent technologies to meet new standards, e.g., PCI, etc.

  38. Additional Survey • IA tells IS the annual audit plan • IS uses IA for help garnering additional resources • Card Lock system for Server Rooms • Expanded for Physical Security across campus • CIO & IA Director have mutual respect • This “Top Management” directly influences the other IA and IS unit employees

  39. Summary • Need clear evolutionary path from literature to Figure 2 to Figure 3 • Theory • Gap between questions in research instrument and issues identified in the manuscript • Relationship to ERM • Operationalize Constructs • Model Specified Correctly?

  40. Closing Comments • Enjoyed manuscript • Do we know if the proposed model (Figure 3) would change if the IA and IS were viewed as belonging to • “High performing” organizations? • “Low performing” organizations?

More Related