تاثیر رابطه حسابرسی داخلی و عملکرد امنیت اطلاعات
ترجمه نشده

تاثیر رابطه حسابرسی داخلی و عملکرد امنیت اطلاعات

عنوان فارسی مقاله: تاثیر یک رابطه خوب بین حسابرسی داخلی و عملکرد امنیت اطلاعات بر پیامدهای امنیت اطلاعات
عنوان انگلیسی مقاله: The influence of a good relationship between the internal audit and information security functions on information security outcomes
مجله/کنفرانس: حسابداری، سازمان ها و جامعه – Accounting, Organizations and Society
رشته های تحصیلی مرتبط: حسابداری، مدیریت
گرایش های تحصیلی مرتبط: حسابرسی، مدیریت فناوری اطلاعات
کلمات کلیدی فارسی: امنیت اطلاعات، حسابرسی داخلی، حسابرسی IT، حکومت، مدیریت ریسک ، معیارهای امنیتی
کلمات کلیدی انگلیسی: Information security, Internal audit, IT audit, Governance, Risk management, Security metrics
نوع نگارش مقاله: مقاله پژوهشی (Research Article)
شناسه دیجیتال (DOI): https://doi.org/10.1016/j.aos.2018.04.005
دانشگاه: W.P. Carey School of Business Arizona State University – USA
صفحات مقاله انگلیسی: 15
ناشر: الزویر - Elsevier
نوع ارائه مقاله: ژورنال
نوع مقاله: ISI
سال انتشار مقاله: 2018
ایمپکت فاکتور: 2.077 در سال 2017
شاخص H_index: 110 در سال 2019
شاخص SJR: 1.771 در سال 2019
شناسه ISSN: 0361-3682
فرمت مقاله انگلیسی: PDF
وضعیت ترجمه: ترجمه نشده است
قیمت مقاله انگلیسی: رایگان
آیا این مقاله بیس است: بله
کد محصول: E7809
فهرست مطالب (انگلیسی)

Abstract

1- Introduction

2- Background

3- Hypotheses

4- Research method

5- Results

6- Summary and discussion

Acknowledgements

References

بخشی از مقاله (انگلیسی)

Abstract

Given the increasing financial impact of cybercrime, it has become critical for companies to manage information security risk. The practitioner literature has long argued that the internal audit function (IAF) can play an important role both in providing assurance with respect to information security and in generating insights about how to improve the organization's information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of noncompliance, as well as on the numbers of security incidents detected, both before and after they caused material harm to the organization. In addition, we find that higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions.

Introduction

Cybercrime can have a significant, direct economic impact on organizations through asset misappropriation, theft of sensitive private information, disruption of online operations, and legal costs to settle consumer claims about harm (Hong, 2016; ISACA, 2016; Minaya, 2015; PWC, 2016a, 2016b). It can also have an indirect economic effect, given that the disclosure of information security risk factors, governance policies, and information security breaches can significantly impact firm value (Gordon, Loeb, & Sohail, 2010; Higgs, Pinsker, Smith, & Young, 2016; Wang, Kannan, & Ulmer, 2013). In addition, cybercrime poses “a different focal point of concern [and] a different ‘subject’ of risk”, (Power, 2013, p. 538), because perpetrators are often unknown agents outside the organization. This is in contrast to asset theft and financial disclosure risks, where the focus is typically on the actions of identifiable individuals within the organization. Hence, it is not surprising that information security ranks as one of the top concerns for both accounting professionals (Drew, 2015; Hill, 2015) and senior management (Luftman & Ben-Zvi, 2010). Who should be responsible for managing information security risks? The obvious answer would seem to be a dedicated group within the IT function. An ISACA (2011) report, however, suggests that information security risk management is the responsibility of not just a dedicated group within the information technology (IT) function, but also should involve other functions within organizations, including the internal audit function (IAF). The problem of information security risk management therefore provides an important context for research on internal audit as a governance and risk management mechanism. Sarens (2009) argues “… the IAF can have a positive impact on the quality of risk management and internal control processes” (p. 4). Indeed, top management expects the IAF to compensate for the loss of control that comes through increased organizational complexity by both “providing independent assurance” and by “actively contributing to improving of processes and internal controls” (Sarens & De Beedle, 2006, p. 238). Similarly, the practice literature indicates that two of the most important responsibilities of the IAF are to provide assurance about process effectiveness and insights about how to improve performance (Seago, 2017). Despite this consensus among academics, managers, and internal audit professionals that an effective IAF should improve governance and risk management, there is little research that addresses whether the IAF actually does improve governance and risk management outcomes (Carcello, Hermanson, & Ye, 2011; Eden & Moriah, 1996; Gramling, Maletta, Schneider, & Church, 2004). Instead, prior research has tended to focus on respondents' perceptions of the efficacy of the IAF in improving risk management processes, without reporting objective data on the outcomes from these processes (e.g., Arena, Arnaboldi, & Azzone, 2010; Carcello, Eulerich, Masli, & Wood, 2017; de Zwaan, Stewart, & Subramaniam, 2011; Ma'ayan & Carmeli, 2016; Paape & Spekle, 2013).