IDEAS home Printed from https://ideas.repec.org/a/eee/ijoais/v44y2022ics1467089521000506.html
   My bibliography  Save this article

Effectiveness of cybersecurity audit

Author

Listed:
  • Slapničar, Sergeja
  • Vuko, Tina
  • Čular, Marko
  • Drašček, Matej

Abstract

The aim of this paper is to analyze the effectiveness of internal audit of cybersecurity. We developed a Cybersecurity Audit Index composed of three dimensions – planning, performing and reporting – to address this question. We hypothesize that cybersecurity audit effectiveness is positively related to cyber risk management maturity and negatively to the probability of a successful cyber attack. We tested our hypotheses in a survey with auditors and Chief Audit Executives from various countries and industries. We found that Cybersecurity Audit Index scores significantly vary, with a mean of 58 on a scale from 0 to 100. While the planning and performing phases are strongly and positively correlated, they are less strongly related to reporting about cyber risk management effectiveness to the Board of Directors. As predicted, the Cybersecurity Audit Index is positively associated with maturity, but contrary to expectations, it is not related to the probability of a successful cyber attack. This is the first paper that comprehensively measures the effectiveness of cybersecurity audit and its effects on cyber risk management.

Suggested Citation

  • Slapničar, Sergeja & Vuko, Tina & Čular, Marko & Drašček, Matej, 2022. "Effectiveness of cybersecurity audit," International Journal of Accounting Information Systems, Elsevier, vol. 44(C).
    • Handle: RePEc:eee:ijoais:v:44:y:2022:i:c:s1467089521000506
    DOI: 10.1016/j.accinf.2021.100548
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1467089521000506
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.accinf.2021.100548?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Modar Abdullatif & Shatha Kawuq, 2015. "The role of internal auditing in risk management: evidence from banks in Jordan," Journal of Economic and Administrative Sciences, Emerald Group Publishing Limited, vol. 31(1), pages 30-50, May.
    2. James Johnson, 2019. "The AI-cyber nexus: implications for military escalation, deterrence and strategic stability," Journal of Cyber Policy, Taylor & Francis Journals, vol. 4(3), pages 442-460, September.
    3. Dominic S.B. Soh & Nonna Martinov-Bennie, 2011. "The internal audit function: Perceptions of internal audit roles, effectiveness and evaluation," Managerial Auditing Journal, Emerald Group Publishing, vol. 26(7), pages 605-622, July.
    4. Gerrit Sarens & Mohammad J. Abdolmohammadi & Rainer Lenz, 2012. "Factors associated with the internal audit function's role in corporate governance," Journal of Applied Accounting Research, Emerald Group Publishing Limited, vol. 13(2), pages 191-204, September.
    5. Chiu, Victoria & Liu, Qi & Vasarhelyi, Miklos A., 2014. "The development and intellectual structure of continuous auditing research," Journal of Accounting Literature, Elsevier, vol. 33(1), pages 37-57.
    6. Rainer Lenz & Ulrich Hahn, 2015. "A synthesis of empirical internal audit effectiveness literature pointing to new research opportunities," Managerial Auditing Journal, Emerald Group Publishing, vol. 30(1), pages 5-33, January.
    7. Mélanie Roussy & Odile Barbe & Sophie Raimbault, 2020. "Internal audit: from effectiveness to organizational significance," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 35(2), pages 322-342, January.
    8. Md. Shariful Islam & Nusrat Farah & Thomas F. Stafford, 2018. "Factors associated with security/cybersecurity audit by internal audit function," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 377-409, April.
    9. Arena, Marika & Arnaboldi, Michela & Azzone, Giovanni, 2010. "The organizational dynamics of Enterprise Risk Management," Accounting, Organizations and Society, Elsevier, vol. 35(7), pages 659-675, October.
    10. Dessalegn Getie Mihret & Bligh Grant, 2017. "The role of internal auditing in corporate governance: a Foucauldian analysis," Accounting, Auditing & Accountability Journal, Emerald Group Publishing Limited, vol. 30(3), pages 699-719, March.
    11. Ran Xu & Kenneth A. Frank & Spiro J. Maroulis & Joshua M. Rosenberg, 2019. "konfound: Command to quantify robustness of causal inferences," Stata Journal, StataCorp LP, vol. 19(3), pages 523-550, September.
    12. El-Hussein E. El-Masry, 2008. "Factors affecting auditors' utilization of evidential cues," Managerial Auditing Journal, Emerald Group Publishing, vol. 23(1), pages 26-50, January.
    13. Amr Kotb & Hany Elbardan & Hussein Halabi, 2020. "Mapping of internal audit research: a post-Enron structured literature review," Accounting, Auditing & Accountability Journal, Emerald Group Publishing Limited, vol. 33(8), pages 1969-1996, August.
    14. Loïc Decaux & Gerrit Sarens, 2015. "Implementing combined assurance: insights from multiple case studies," Managerial Auditing Journal, Emerald Group Publishing, vol. 30(1), pages 56-79, January.
    15. Elina Haapamäki & Jukka Sihvonen, 2019. "Cybersecurity in accounting research," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 34(7), pages 808-834, July.
    16. Sezer Bozkus Kahyaoglu & Kiymet Caliyurt, 2018. "Cyber security assurance process from the internal audit perspective," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 360-376, May.
    17. Thomas Stafford & George Deitz & Yaojie Li, 2018. "The role of internal audit and user training in information security policy compliance," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 410-424, March.
    18. Beasley, Mark S. & Clune, Richard & Hermanson, Dana R., 2005. "Enterprise risk management: An empirical analysis of factors associated with the extent of implementation," Journal of Accounting and Public Policy, Elsevier, vol. 24(6), pages 521-531.
    19. Karl Hackenbrack & W. Robert Knechel, 1997. "Resource Allocation Decisions in Audit Engagements," Contemporary Accounting Research, John Wiley & Sons, vol. 14(3), pages 481-499, September.
    20. Ian Fraser & William Henry, 2007. "Embedding risk management: structures and approaches," Managerial Auditing Journal, Emerald Group Publishing, vol. 22(4), pages 392-409, April.
    21. Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2018. "The influence of a good relationship between the internal audit and information security functions on information security outcomes," Accounting, Organizations and Society, Elsevier, vol. 71(C), pages 15-29.
    22. Marko Čular & Sergeja Slapničar & Tina Vuko, 2020. "The Effect of Internal Auditors’ Engagement in Risk Management Consulting on External Auditors’ Reliance Decision," European Accounting Review, Taylor & Francis Journals, vol. 29(5), pages 999-1020, October.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Zhang, Yimei & Smith, Thomas, 2023. "The impact of customer firm data breaches on the audit fees of their suppliers," International Journal of Accounting Information Systems, Elsevier, vol. 50(C).
    2. Kai-Uwe Seidenfuss & Angus Young & Mohan Datwani, 2023. "Integrating governance, risk and compliance? A multi-method analysis of the new Three Lines Model," SN Business & Economics, Springer, vol. 3(10), pages 1-28, October.
    3. Agbodoh-Falschau, Kouassi Raymond & Ravaonorohanta, Bako Harinivo, 2023. "Investigating the influence of governance determinants on reporting cybersecurity incidents to police: Evidence from Canadian organizations’ perspectives," Technology in Society, Elsevier, vol. 74(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Wan-Hussin, Wan Nordin & Fitri, Hadiati & Salim, Basariah, 2021. "Audit committee chair overlap, chair expertise, and internal auditing practices: Evidence from Malaysia," Journal of International Accounting, Auditing and Taxation, Elsevier, vol. 44(C).
    2. Nathanael Betti & Steven DeSimone & Joy Gray, 2022. "The impacts of the use of data analytics and the performance of consulting activities on perceived internal audit quality," Working Papers 2202, College of the Holy Cross, Department of Economics.
    3. Therese R. Viscelli & Mark S. Beasley & Dana R. Hermanson, 2016. "Research Insights About Risk Governance," SAGE Open, , vol. 6(4), pages 21582440166, November.
    4. Hani Shaiti & Yahya Al-Matari, 2020. "Internal Audit Function Characteristics and the Quality of Internal Control Systems: Moderating the Effect of Enterprise Resource Planning System Maturity," Asian Economic and Financial Review, Asian Economic and Social Society, vol. 10(9), pages 1012-1027, September.
    5. Wang, Xiong & Ferreira, Fernando A.F. & Chang, Ching-Ter, 2022. "Multi-objective competency-based approach to project scheduling and staff assignment: Case study of an internal audit project," Socio-Economic Planning Sciences, Elsevier, vol. 81(C).
    6. Rakipi, Romina & De Santis, Federica & D'Onza, Giuseppe, 2021. "Correlates of the internal audit function’s use of data analytics in the big data era: Global evidence," Journal of International Accounting, Auditing and Taxation, Elsevier, vol. 42(C).
    7. Christina Vadasi & Michalis Bekiaris & Andreas Andrikopoulos, 2021. "Internal Audit Function Quality and Corporate Governance: The Case of Greece," Multinational Finance Journal, Multinational Finance Journal, vol. 25(1-2), pages 1-61, March - J.
    8. Krane, Ronja & Eulerich, Marc, 2020. "Going global: Factors influencing the internationalization of the internal audit function," Journal of International Accounting, Auditing and Taxation, Elsevier, vol. 41(C).
    9. Li, Yongjian & Zhen, Xueping & Qi, Xiangtong & Cai, Gangshu (George), 2016. "Penalty and financial assistance in a supply chain with supply disruption," Omega, Elsevier, vol. 61(C), pages 167-181.
    10. José Ruiz-Canela López, 2021. "How Can Enterprise Risk Management Help in Evaluating the Operational Risks for a Telecommunications Company?," JRFM, MDPI, vol. 14(3), pages 1-26, March.
    11. Elisabetta Mafrolla & Felice Matozza, 2014. "Risk management and firm size: a survey of Italian private companies," MANAGEMENT CONTROL, FrancoAngeli Editore, vol. 2014(3), pages 87-108.
    12. Leen Paape & Roland F. Spekl�, 2012. "The Adoption and Design of Enterprise Risk Management Practices: An Empirical Study," European Accounting Review, Taylor & Francis Journals, vol. 21(3), pages 533-564, January.
    13. Rita Lamboglia & Francesco Paolone & Daniela Mancini, 2019. "Determinants of the implementation of environmental risk indicators: Empirical evidence from the Italian manufacturing context," Corporate Social Responsibility and Environmental Management, John Wiley & Sons, vol. 26(2), pages 307-316, March.
    14. Steven DeSimone & Giuseppe D’Onza & Gerrit Sarens, 2019. "Correlates of Internal Audit Function Maturity," Working Papers 1905, College of the Holy Cross, Department of Economics.
    15. Yongrok Choi & Xiaoxia Ye & Lu Zhao & Amanda C. Luo, 2016. "Optimizing enterprise risk management: a literature review and critical analysis of the work of Wu and Olson," Annals of Operations Research, Springer, vol. 237(1), pages 281-300, February.
    16. Khairul Rizan Mat Ludin & Zakiah Muhammaddun Mohamed & Norman Mohd-Saleh, 2017. "The association between CEO characteristics, internal audit quality and risk-management implementation in the public sector," Risk Management, Palgrave Macmillan, vol. 19(4), pages 281-300, November.
    17. Xin Liu, 2019. "The Role of Enterprise Risk Management in Sustainable Decision-Making: A Cross-Cultural Comparison," Sustainability, MDPI, vol. 11(10), pages 1-15, May.
    18. Mihret, Dessalegn Getie, 2014. "How can we explain internal auditing? The inadequacy of agency theory and a labor process alternative," CRITICAL PERSPECTIVES ON ACCOUNTING, Elsevier, vol. 25(8), pages 771-782.
    19. Shruti Kashyap & Einar Iveroth, 2021. "Transparency and accountability influences of regulation on risk control: the case of a Swedish bank," Journal of Management & Governance, Springer;Accademia Italiana di Economia Aziendale (AIDEA), vol. 25(2), pages 475-508, June.
    20. Osama Samih Shaban & Abdallah Izzat Barakat, 2023. "Evaluation of Internal Audit Standards as a Foundation for Carrying out and Promoting a Wide Variety of Value-Added Tasks-Evidence from Emerging Market," JRFM, MDPI, vol. 16(3), pages 1-13, March.

    More about this item

    Keywords

    Cybersecurity; Internal audit; Assurance; Index; Maturity;
    All these keywords.

    JEL classification:

    • M42 - Business Administration and Business Economics; Marketing; Accounting; Personnel Economics - - Accounting - - - Auditing
    • M15 - Business Administration and Business Economics; Marketing; Accounting; Personnel Economics - - Business Administration - - - IT Management

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijoais:v:44:y:2022:i:c:s1467089521000506. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-accounting-information-systems/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.