Discussion of:
“The Relationship between
Internal Audit and Information
Security: An Exploratory
Severin Grabski
Michigan State University
2011 UWCISA Symposium
Toronto, Canada
Stated Objective
Investigate the nature of the
relationship between information
security and internal audit
• Important – Critical component of
Corporate Governance
• Motivation needs to be more than
“no empirical research exists”
Tasks Accomplished
• Established that the IA role has been
generally ignored in the literature
• Conducted semi-structured
interviews with IA and IS security
• Identified factors that impact the
nature of the relationship between
IA and IS functions
• Had sense of concern
Proposed Model
IA vs. IS Control View
• IA
• IS
Stage of attempted
o Configuration –
o Access (Preventive)
• IA Review
o Monitoring – Detective o Monitoring –
Control objective
o Preventive
o Detective
o Corrective
• What’s missing?
• What happened to Corrective?
Proposed Model
“…no empirical research investigating
how well the two functions work
together.” (p.5)
Proposed Model • Never addresses Role of IA and IS
• How Should IA and IS Interact?
o Model only shows tasks and how they are
• Is there Theory for this Interaction?
SOX & IT Governance
• Case Study of Charles Schwab
Corporation (Damianides 2005)
• Top management sought improved IT
Governance Framework
o IA recommended COBIT
o Improve IS controls
o Enhance IT & Business Processes
o Map audits to COBIT
• On a high level, this shows units
working together
Proposed Model
But… (p. 131)??
So How Did This
Proposed Model Occur?
From Here!
Includes Monitoring
& Documentation
Basis for Proposed Model
• Ransbotham & Mitra (2009) Model is about
external attacks on an organization –
information security compromise process
• How does this relate to “Internal” Controls?
• How does this relate to securing the system
from the “Innocent Incompetent”?
Proposed Model
So How Did We Get
Figure 3?
Proposed Model
I Got Lost!
I Need a Map
Where’s the Theory?
• While there has not been any
study of IA and IS working
together, there has been many
studies of organizations and
institutional structure
• Possible theory –
Neo-institutional Theory
Neo-institutional Theory
• Should be used for studying IT security
issues in organizations (Bjorck 2004)
o Can be used to explain differences in
formal and actual security behavior
o Can be used to explain why formal
security structures are created and not
fully implemented
• Can be used to explain how
institutional factors influence the
behavior of individuals (Hu et al. 2007)
Neo-institutional Theory
• Organizations are structured by
phenomena in institutional
environment and become
isomorphic with them
• Two parts
• Process in which components of
formal structure become
accepted, and are seen as
appropriate and needed
• Decision to adopt depends upon
whether the innovation will
improve internal processes
• Explains how institutional structures
and practices propagate among
o Coercive Isomorphism (External pressure)
o Mimetic Isomorphism (Imitation)
• Software selection (Tingling & Parent 2002)
o Normative Isomorphism (Professionalism)
• Mediating role of top management in
ES assimilation (Liang et al. 2007)
Benefit of Theory
• Guide formulation of constructs &
interview questions
• Focus does not need to be on
testing neo-institutional theory
• Focus can be on extending theory
• Could still use case-based
Research Instrument
• Discuss “perceived inequality”
o Never appears in research instrument
o What does appear is “Working
• Suggest that “Organizational
Characteristics” impact relationship
o “Working Relationship,” “Audit
Demographics,” and “IT Demographics”
are used
Setting - Education
• Concern about Security
o More or less in Education than Business?
States also have laws/penalties for data
disclosure, etc.) impact Universities
• Manuscript states that security was
not an overarching strategic factor.
• How can security not be a major
Research Method
• Good Approach
• Did the participants get the
opportunity to review the transcripts
and correct errors/omissions?
• Need to state in the Research Method
section that an IA and IS security
person were interviewed at institutions
that did not outsource IA (information
is only in Table 1)
• Technical Knowledge
o Tech knowledge  deeper
o Or is it that they know the correct
questions to ask and can bring value to
the IS team?
• Communication Skills
o If IA explains what & why, than IS is
• Auditor’s Perception of the Role of IA
vis-à-vis Information Security
• Does Technical Knowledge Result
in Improved Communication Skills
& Result in Increased Cooperation
with IS?
IS perceived top management to be very
supportive of information security but,
adequate resources were not necessarily
forthcoming (in Not For Profit)
• How can IS and IA work smarter with
fewer (limited) resources?
For Profit
• Budgetary Support
• Incentive for Audit Compliance
• Why?
Security Issues
Related to Financial
IT Corporate
Relationships Matter
Relationships Matter
• A collaborative relationship between
the internal audit and information
systems security functions increases
user compliance, improves the
effectiveness of internal audit (P6 A&B)
• More interesting question:
How is a collaborative relationship
Additional Survey
• Interviewed CIO
o IA was “bad guy” in the past
o IA had stringent standards
o Didn’t understand that IT Security is situational
(practical, unsecure to totally secure but
• SSN need high security
• Other stuff can be wide-open
o Had to work with IA to be “practical”
• Could not apply all of COBIT all the time!
o IA acts like an extra set of eyes & ears
• Working smarter
Additional Survey
• IA did not want to disclose
standards used in audit
o Releasing audit standards viewed as
“teaching to the test”
o Needed to get shared understanding of
standards  good practices
• IS can now share these good practices
• Facilitates audit
• IS can help invent technologies to meet
new standards, e.g., PCI, etc.
Additional Survey
• IA tells IS the annual audit plan
• IS uses IA for help garnering additional
o Card Lock system for Server Rooms
o Expanded for Physical Security across
• CIO & IA Director have mutual respect
• This “Top Management” directly
influences the other IA and IS unit
• Need clear evolutionary path from
literature to Figure 2 to Figure 3
• Theory
• Gap between questions in research
instrument and issues identified in the
• Relationship to ERM
• Operationalize Constructs
• Model Specified Correctly?
Closing Comments
• Enjoyed manuscript
• Do we know if the proposed model
(Figure 3) would change if the IA and
IS were viewed as belonging to
o “High performing” organizations?
o “Low performing” organizations?

similar documents