View
213
Download
0
Category
Preview:
Citation preview
The Influence of Internal Audit on Information Security effectiveness:
Perceptions of Internal Auditors
Ray Henrickson CA CPA CISAVP Information Systems and Technology Audit
The Bank of Nova Scotia
2
Background• System environment
– Complex, integrated systems• Millions of transactions a day• +1,000 systems• Multiple IT channels
– +150 people in information security area– Large security budget– Comprehensive and sophisticated security controls– Industry cooperation and collaboration
• Business environment– Highly desirable target– Extensive collaboration with third parties– The bad guys are really clever
3
• Tried to link perceptions of relationship to quantitative outcomes
• Sample Population– Majority of respondents are in regulated businesses. Although no
indication of the size of the organization or the size of the security function/budget.
– Demographics – professionally experienced and skilled audit population.
• The study recognized and effectively dealt with inherent limitations – small sample size, cross sectional vs longitudinal study
Positives
4
• Relatively small number of findings and incidents reported• Number of security-related audit findings had decreased over
the past three years• Number of security incidents in the past year had slightly
decreased from what it was three years earlier
Surprises
5
• Quality of Relationship Audit findingsSecurity Incidents
• Frequency of Audit Relationship
• Frequency of Audit Audit findingsSecurity Incidents
Study Results
6
• Quality of the relationship – The factors that underpin• Frequency of audit – Difficult to link some of the identified
areas to security• Security incident – What is a security incident?
– malware, identify theft, phishing, code level deficiency such as cross-site scripting of SQL injection, loss/theft of asset, man-in-the-middle/browser, DDOS, mobile computing, economic espionage, end user computing, segregation of duties, etc.
• Audit finding – What is the significance? What is the root cause of the finding – not doing the right thing or not doing things right?
Consider – Definitions
7
• To understand the auditors’ views on the choices and risk ranking of security vs other functional areas
• To assess the significance of the security issues and audit findings– Not all issues and findings are of equal significance
Consider – Risk
8
• Quality of relationship and frequency of audit don’t seem to relate to number of findings or number of security incidents but may be related to something else:
• Audit efficiency• Audit scope and objectives• Relevance of issues and recommendations• Quality of reporting
• Supplemental analysis confirmed it is easier to find issues with the people than the technology.
My Takeaways
9
• No conclusion on how Internal Audit positively influences the effectiveness of information security
• Results may indicate that auditor independence and objectivity is not influenced by Quality of Relationship or Frequency of audit
• Both Audit and Information Security are working independently and collaboratively towards same objective – improved information security
My Takeaways
10
Value of the Work• Identifies some factors associated with relationships in the
audit environment. • Findings likely apply to other audit relationships.• Suitable as a starting point for future studies by IS Assurance
academics
11
Future Research• Use different performance metrics• Clarity of definition of terms• More information on the size of the organization, the size of
the security and the audit functions• More granular information on nature and significance of audit
issues• Consider the organization’s assessment of risk• Validate the survey in advance with an internal audit
practitioner
Recommended