The Internal Audit Function in Information Technology Governance: A Holistic Perspective

Héroux, Sylvie; Fortin, Anne

doi:10.2308/isys-50331

Cited by 18 publications

(14 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The IAF should play an active role in information security governance and enterprise risk management efforts with respect to information security (Arena et al, 2010;Busco, Giovannoni, Riccaboni, Frigo, & Scapens, 2006;Havelka & Merhout, 2013;Héroux & Fortin, 2013;Merhout & Havelka, 2008;Stoel et al, 2012). According to COBIT5 (ISACA, 2012a), the regular monitoring of performance (Process MEA01) and independent auditing of security (Process MEA02) are an important part of these governance efforts.…”

Section: Introductionmentioning

confidence: 99%

The influence of a good relationship between the internal audit and information security functions on information security outcomes

Steinbart

Raschke

Gal

et al. 2018

Accounting, Organizations and Society

View full text Add to dashboard Cite

Given the increasing financial impact of cybercrime, it has become critical for companies to manage information security risk. The practitioner literature has long argued that the internal audit function (IAF) can play an important role both in providing assurance with respect to information security and in generating insights about how to improve the organization's information security. Nevertheless, there is scant empirical evidence to support this belief. Using a unique data set, this study examines how the quality of the relationship between the internal audit and the information security functions affects objective measures of the overall effectiveness of an organization's information security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of noncompliance, as well as on the numbers of security incidents detected, both before and after they caused material harm to the organization. In addition, we find that higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions.

show abstract

Section: Introductionmentioning

confidence: 99%

The influence of a good relationship between the internal audit and information security functions on information security outcomes

Steinbart

Raschke

Gal

et al. 2018

Accounting, Organizations and Society

View full text Add to dashboard Cite

show abstract

“…The first sees internal auditing as a career in itself, whereas the second views it as a training ground for top managers, an aspect that could fall under the category of internal audit's other roles. Héroux and Fortin (), adopting a holistic approach to examining IT governance, found that the IAF focuses on risk assessment and evaluation of IT controls. Along those lines, D'Onza, Lamboglia, and Verona () argued that managers want greater support from the IAF for IT governance.…”

Section: The Multiple Roles Of Internal Auditmentioning

confidence: 99%

New Perspectives in Internal Audit Research: A Structured Literature Review

Roussy

Perron

2018

Accounting Perspectives

View full text Add to dashboard Cite

This structured literature review adopts a multimethod and multitheoretical approach to identify current knowledge about internal audit as well as related knowledge gaps. To that end, it provides an overview of post-Sarbanes-Oxley Act literature, organizing it under three themes: the multiple roles of internal audit, internal audit quality (IAQ), and the practice of internal audit. Despite the volume of literature published during the period covered by this review (2005 to mid-2017), the first two themes are still in development, while the third is emergent. We suggest research avenues to fill the following main gaps: (i) Given differing opinions about the expected or actual roles of internal audit, prior literature infers that the internal audit function has become the "jack of all trades" of governance, but does not clearly capture its actual roles. (ii) The viewpoint of external auditors has dominated IAQ research, leading to a misunderstanding of how actors with greater stakes in the practice of internal audit conceptualize and evaluate IAQ. (iii) Knowledge of the actual practice of internal audit and its accountability and ethical issues is fragmentary, therefore the literature's current picture of internal audit is far from comprehensive.

show abstract

“…To be able to detect material weaknesses in IT systems, audit teams need to have knowledge and competencies not only about accounting and auditing, but also on IT specialised knowledge. Specialised IT professional qualifications and certifications have been shown to have more likelihood of involvement with auditing on IT governance, risks and controls (Héroux and Fortin, 2012). Knowledge about IT and accounting system, are shown to be important factors in IT audit quality (Havelka and Merhout, 2013;Stoel, Havelka, and Merhout, 2012).…”

Section: Audit Team's It Knowledge and Competenciesmentioning

confidence: 99%