1 / 11

The Influence of Internal Audit on Information Security effectiveness: Perceptions of Internal Auditors

The Influence of Internal Audit on Information Security effectiveness: Perceptions of Internal Auditors. Ray Henrickson CA CPA CISA VP Information Systems and Technology Audit The Bank of Nova Scotia. Background. System environment Complex, integrated systems Millions of transactions a day

ginny
Download Presentation

The Influence of Internal Audit on Information Security effectiveness: Perceptions of Internal Auditors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Influence of Internal Audit on Information Security effectiveness:Perceptions of Internal Auditors Ray Henrickson CA CPA CISA VP Information Systems and Technology Audit The Bank of Nova Scotia

  2. Background • System environment • Complex, integrated systems • Millions of transactions a day • +1,000 systems • Multiple IT channels • +150 people in information security area • Large security budget • Comprehensive and sophisticated security controls • Industry cooperation and collaboration • Business environment • Highly desirable target • Extensive collaboration with third parties • The bad guys are really clever

  3. Positives • Tried to link perceptions of relationship to quantitative outcomes • Sample Population • Majority of respondents are in regulated businesses. Although no indication of the size of the organization or the size of the security function/budget. • Demographics – professionally experienced and skilled audit population. • The study recognized and effectively dealt with inherent limitations – small sample size, cross sectional vs longitudinal study

  4. Surprises • Relatively small number of findings and incidents reported • Number of security-related audit findings had decreased over the past three years • Number of security incidents in the past year had slightly decreased from what it was three years earlier

  5. Study Results • Quality of Relationship Audit findings Security Incidents • Frequency of Audit Relationship • Frequency of Audit Audit findings Security Incidents

  6. Consider – Definitions • Quality of the relationship – The factors that underpin • Frequency of audit – Difficult to link some of the identified areas to security • Security incident – What is a security incident? • malware, identify theft, phishing, code level deficiency such as cross-site scripting of SQL injection, loss/theft of asset, man-in-the-middle/browser, DDOS, mobile computing, economic espionage, end user computing, segregation of duties, etc. • Audit finding – What is the significance? What is the root cause of the finding – not doing the right thing or not doing things right?

  7. Consider – Risk • To understand the auditors’ views on the choices and risk ranking of security vs other functional areas • To assess the significance of the security issues and audit findings • Not all issues and findings are of equal significance

  8. My Takeaways • Quality of relationship and frequency of audit don’t seem to relate to number of findings or number of security incidents but may be related to something else: • Audit efficiency • Audit scope and objectives • Relevance of issues and recommendations • Quality of reporting • Supplemental analysis confirmed it is easier to find issues with the people than the technology.

  9. My Takeaways No conclusion on how Internal Audit positively influences the effectiveness of information security Results may indicate that auditor independence and objectivity is not influenced by Quality of Relationship or Frequency of audit Both Audit and Information Security are working independently and collaboratively towards same objective – improved information security

  10. Value of the Work • Identifies some factors associated with relationships in the audit environment. • Findings likely apply to other audit relationships. • Suitable as a starting point for future studies by IS Assurance academics

  11. Future Research • Use different performance metrics • Clarity of definition of terms • More information on the size of the organization, the size of the security and the audit functions • More granular information on nature and significance of audit issues • Consider the organization’s assessment of risk • Validate the survey in advance with an internal audit practitioner

More Related