IDEAS home Printed from https://ideas.repec.org/a/eee/aosoci/v71y2018icp15-29.html
   My bibliography  Save this article

The influence of a good relationship between the internal audit and information security functions on information security outcomes

Author

Listed:
  • Steinbart, Paul John
  • Raschke, Robyn L.
  • Gal, Graham
  • Dilla, William N.

Abstract

Given the increasing financial impact of cybercrime, it has become critical for companies to manage information security risk. The practitioner literature has long argued that the internal audit function (IAF) can play an important role both in providing assurance with respect to information security and in generating insights about how to improve the organization's information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of noncompliance, as well as on the numbers of security incidents detected, both before and after they caused material harm to the organization. In addition, we find that higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions.

Suggested Citation

  • Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2018. "The influence of a good relationship between the internal audit and information security functions on information security outcomes," Accounting, Organizations and Society, Elsevier, vol. 71(C), pages 15-29.
    • Handle: RePEc:eee:aosoci:v:71:y:2018:i:c:p:15-29
    DOI: 10.1016/j.aos.2018.04.005
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0361368218302113
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.aos.2018.04.005?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Arena, Marika & Arnaboldi, Michela & Azzone, Giovanni, 2010. "The organizational dynamics of Enterprise Risk Management," Accounting, Organizations and Society, Elsevier, vol. 35(7), pages 659-675, October.
    2. Fayard, Dutch & Lee, Lorraine S. & Leitch, Robert A. & Kettinger, William J., 2012. "Effect of internal cost management, information systems integration, and absorptive capacity on inter-organizational cost management in supply chains," Accounting, Organizations and Society, Elsevier, vol. 37(3), pages 168-187.
    3. Tawei Wang & Karthik N. Kannan & Jackie Rees Ulmer, 2013. "The Association Between the Disclosure and the Realization of Information Security Risk Factors," Information Systems Research, INFORMS, vol. 24(2), pages 201-218, June.
    4. Morris, Timothy & Empson, Laura, 1998. "Organisation and expertise: An exploration of knowledge bases and the management of accounting and consulting firms," Accounting, Organizations and Society, Elsevier, vol. 23(5-6), pages 609-624.
    5. Havelka, Douglas & Merhout, Jeffrey W., 2013. "Internal information technology audit process quality: Theory development using structured group processes," International Journal of Accounting Information Systems, Elsevier, vol. 14(3), pages 165-192.
    6. Power, Michael, 2013. "The apparatus of fraud risk," Accounting, Organizations and Society, Elsevier, vol. 38(6), pages 525-543.
    7. Zaini Ahmad & Dennis Taylor, 2009. "Commitment to independence by internal auditors: the effects of role ambiguity and role conflict," Managerial Auditing Journal, Emerald Group Publishing, vol. 24(9), pages 899-925, October.
    8. G. Sarens & I. De Beelde, 2006. "Interaction between internal auditors and senior management: A qualitative analysis of expectations and perceptions," Working Papers of Faculty of Economics and Business Administration, Ghent University, Belgium 06/358, Ghent University, Faculty of Economics and Business Administration.
    9. Yahel Ma’ayan & Abraham Carmeli, 2016. "Internal Audits as a Source of Ethical Behavior, Efficiency, and Effectiveness in Work Units," Journal of Business Ethics, Springer, vol. 137(2), pages 347-363, August.
    10. Fanning, Kirsten & David Piercey, M., 2014. "Internal auditors’ use of interpersonal likability, arguments, and accounting information in a corporate governance setting," Accounting, Organizations and Society, Elsevier, vol. 39(8), pages 575-589.
    11. Stoel, Dale & Havelka, Douglas & Merhout, Jeffrey W., 2012. "An analysis of attributes that impact information technology audit quality: A study of IT and financial audit practitioners," International Journal of Accounting Information Systems, Elsevier, vol. 13(1), pages 60-79.
    12. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    13. Aimée A. Kane, 2010. "Unlocking Knowledge Transfer Potential: Knowledge Demonstrability and Superordinate Social Identity," Organization Science, INFORMS, vol. 21(3), pages 643-660, June.
    14. San Miguel, Joseph G. & Govindarajan, Vijayaraghavan, 1984. "The contingent relationship between the controller and internal audit functions in large organizations," Accounting, Organizations and Society, Elsevier, vol. 9(2), pages 179-188, June.
    15. Eden, Dov & Moriah, Leah, 1996. "Impact of Internal Auditing on Branch Bank Performance: A Field Experiment," Organizational Behavior and Human Decision Processes, Elsevier, vol. 68(3), pages 262-271, December.
    16. Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2012. "The relationship between internal audit and information security: An exploratory investigation," International Journal of Accounting Information Systems, Elsevier, vol. 13(3), pages 228-243.
    17. Laura de Zwaan & Jenny Stewart & Nava Subramaniam, 2011. "Internal audit involvement in enterprise risk management," Managerial Auditing Journal, Emerald Group Publishing, vol. 26(7), pages 586-604, July.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Yusheng Kong & Peter Yao Lartey & Fatoumata Binta Maci Bah & Nirmalya B. Biswas, 2018. "The Value of Public Sector Risk Management: An Empirical Assessment of Ghana," Administrative Sciences, MDPI, vol. 8(3), pages 1-18, July.
    2. Slapničar, Sergeja & Vuko, Tina & Čular, Marko & Drašček, Matej, 2022. "Effectiveness of cybersecurity audit," International Journal of Accounting Information Systems, Elsevier, vol. 44(C).
    3. Didier Fass & Stéphanie Thiéry, 2020. "Cybersecurity risks and situation awareness: Audit committees' appraisal," Post-Print hal-03198562, HAL.
    4. Ya-Fang Wang & Yu-Chu Hsieh, 2023. "Credit Rating and Board Evaluation of Family Firms," International Journal of Business and Economic Sciences Applied Research (IJBESAR), International Hellenic University (IHU), Kavala Campus, Greece (formerly Eastern Macedonia and Thrace Institute of Technology - EMaTTech), vol. 16(1), pages 7-18, October.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Vikash Kumar Sinha & Marika Arena, 2020. "Manifold Conceptions of the Internal Auditing of Risk Culture in the Financial Sector," Journal of Business Ethics, Springer, vol. 162(1), pages 81-102, February.
    2. Mélanie Roussy & Alexandre Perron, 2018. "New Perspectives in Internal Audit Research: A Structured Literature Review," Accounting Perspectives, John Wiley & Sons, vol. 17(3), pages 345-385, September.
    3. Halis Kiral & Hakan Karabacak, 2020. "Resolution of the Internal Audit-Based Role Conflicts in Risk Management: Evidence from Signaling Game Analysis," Group Decision and Negotiation, Springer, vol. 29(5), pages 823-841, October.
    4. Mohannad Obeid Al Shbail, 2018. "The Effect of Role Ambiguity and Role Conflict on Dysfunctional Audit Behaviour: Evidence from Jordan," International Journal of Academic Research in Accounting, Finance and Management Sciences, Human Resource Management Academic Research Society, International Journal of Academic Research in Accounting, Finance and Management Sciences, vol. 8(3), pages 17-25, July.
    5. John D’Arcy & Idris Adjerid & Corey M. Angst & Ante Glavas, 2020. "Too Good to Be True: Firm Social Performance and the Risk of Data Breach," Information Systems Research, INFORMS, vol. 31(4), pages 1200-1223, December.
    6. Jemaa, Fatma, 2022. "Recoupling work beyond COSO: A longitudinal case study of Enterprise-wide Risk Management," Accounting, Organizations and Society, Elsevier, vol. 103(C).
    7. Axelsen, Micheal & Green, Peter & Ridley, Gail, 2017. "Explaining the information systems auditor role in the public sector financial audit," International Journal of Accounting Information Systems, Elsevier, vol. 24(C), pages 15-31.
    8. Lhuillery, Stéphane & Tellechea, Marion & Thiéry, Stéphanie, 2023. "Innovation in lieu of compliance: Internal audit departments’ standardized and non-standardized knowledge sources," Technovation, Elsevier, vol. 123(C).
    9. Benjamin S. Thompson, 2023. "Impact investing in biodiversity conservation with bonds: An analysis of financial and environmental risk," Business Strategy and the Environment, Wiley Blackwell, vol. 32(1), pages 353-368, January.
    10. Li, Yongjian & Zhen, Xueping & Qi, Xiangtong & Cai, Gangshu (George), 2016. "Penalty and financial assistance in a supply chain with supply disruption," Omega, Elsevier, vol. 61(C), pages 167-181.
    11. Namrata Malhotra & Timothy Morris, 2009. "Heterogeneity in Professional Service Firms," Journal of Management Studies, Wiley Blackwell, vol. 46(6), pages 895-922, September.
    12. José Ruiz-Canela López, 2021. "How Can Enterprise Risk Management Help in Evaluating the Operational Risks for a Telecommunications Company?," JRFM, MDPI, vol. 14(3), pages 1-26, March.
    13. Gao, Lei & Calderon, Thomas G. & Tang, Fengchun, 2020. "Public companies' cybersecurity risk disclosures," International Journal of Accounting Information Systems, Elsevier, vol. 38(C).
    14. Mu’azu Saidu Badara & Siti Zabedah Saidin, 2013. "The Journey so far on Internal Audit Effectiveness: A Calling for Expansion," International Journal of Academic Research in Accounting, Finance and Management Sciences, Human Resource Management Academic Research Society, International Journal of Academic Research in Accounting, Finance and Management Sciences, vol. 3(3), pages 340-351, July.
    15. Mohd Noor Azli, 2013. "A Study of Various Aspects of Internet Financial Reporting: A Case of Malaysian Auditors," Information Management and Business Review, AMH International, vol. 5(6), pages 278-291.
    16. Sanghyun Kim & Bora Kim & Minsoo Seo, 2020. "Impacts of Sustainable Information Technology Capabilities on Information Security Assimilation: The Moderating Effects of Policy—Technology Balance," Sustainability, MDPI, vol. 12(15), pages 1-24, July.
    17. Elisabetta Mafrolla & Felice Matozza, 2014. "Risk management and firm size: a survey of Italian private companies," MANAGEMENT CONTROL, FrancoAngeli Editore, vol. 2014(3), pages 87-108.
    18. Paolo Vanini & Sebastiano Rossi & Ermin Zvizdic & Thomas Domenig, 2023. "Online payment fraud: from anomaly detection to risk management," Financial Innovation, Springer;Southwestern University of Finance and Economics, vol. 9(1), pages 1-25, December.
    19. Aaron Saiewitz & Elaine (Ying) Wang, 2020. "Using Cultural Mindsets to Reduce Cross‐National Auditor Judgment Differences," Contemporary Accounting Research, John Wiley & Sons, vol. 37(3), pages 1854-1881, September.
    20. Saridakis, George & Benson, Vladlena & Ezingeard, Jean-Noel & Tennakoon, Hemamali, 2016. "Individual information security, user behaviour and cyber victimisation: An empirical study of social networking users," Technological Forecasting and Social Change, Elsevier, vol. 102(C), pages 320-330.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:aosoci:v:71:y:2018:i:c:p:15-29. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: http://www.elsevier.com/locate/aos .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.