The Influence of Internal Audit on Information Security effectiveness:

Perceptions of Internal Auditors

Ray Henrickson CA CPA CISAVP Information Systems and Technology Audit

The Bank of Nova Scotia

2

Background• System environment

– Complex, integrated systems• Millions of transactions a day• +1,000 systems• Multiple IT channels

– +150 people in information security area– Large security budget– Comprehensive and sophisticated security controls– Industry cooperation and collaboration

• Business environment– Highly desirable target– Extensive collaboration with third parties– The bad guys are really clever

3

• Tried to link perceptions of relationship to quantitative outcomes

• Sample Population– Majority of respondents are in regulated businesses. Although no

indication of the size of the organization or the size of the security function/budget.

– Demographics – professionally experienced and skilled audit population.

• The study recognized and effectively dealt with inherent limitations – small sample size, cross sectional vs longitudinal study

Positives

4

• Relatively small number of findings and incidents reported• Number of security-related audit findings had decreased over

the past three years• Number of security incidents in the past year had slightly

decreased from what it was three years earlier

Surprises

5

• Quality of Relationship Audit findingsSecurity Incidents

• Frequency of Audit Relationship

• Frequency of Audit Audit findingsSecurity Incidents

Study Results

6

• Quality of the relationship – The factors that underpin• Frequency of audit – Difficult to link some of the identified

areas to security• Security incident – What is a security incident?

– malware, identify theft, phishing, code level deficiency such as cross-site scripting of SQL injection, loss/theft of asset, man-in-the-middle/browser, DDOS, mobile computing, economic espionage, end user computing, segregation of duties, etc.

• Audit finding – What is the significance? What is the root cause of the finding – not doing the right thing or not doing things right?

Consider – Definitions

7

• To understand the auditors’ views on the choices and risk ranking of security vs other functional areas

• To assess the significance of the security issues and audit findings– Not all issues and findings are of equal significance

Consider – Risk

8

• Quality of relationship and frequency of audit don’t seem to relate to number of findings or number of security incidents but may be related to something else:

• Audit efficiency• Audit scope and objectives• Relevance of issues and recommendations• Quality of reporting

• Supplemental analysis confirmed it is easier to find issues with the people than the technology.

My Takeaways

9

• No conclusion on how Internal Audit positively influences the effectiveness of information security

• Results may indicate that auditor independence and objectivity is not influenced by Quality of Relationship or Frequency of audit

• Both Audit and Information Security are working independently and collaboratively towards same objective – improved information security

My Takeaways

10

Value of the Work• Identifies some factors associated with relationships in the

audit environment. • Findings likely apply to other audit relationships.• Suitable as a starting point for future studies by IS Assurance

academics

11

Future Research• Use different performance metrics• Clarity of definition of terms• More information on the size of the organization, the size of

the security and the audit functions• More granular information on nature and significance of audit

issues• Consider the organization’s assessment of risk• Validate the survey in advance with an internal audit

practitioner