The Influence of Internal Audit on Information Security Effectiveness October 5, 2013 Perceptions of Internal Auditors Graham Gal With Paul Steinbart,

Slides:

Advertisements

Similar presentations

Intelligence Step 5 - Capacity Analysis Capacity Analysis Without capacity, the most innovative and brilliant interventions will not be implemented, wont.

Advertisements

CONTROLLER/ BACK OFFICE Roles Qualifications Success Metrics years working experience in similar positions CPA or equivalent Knowledge of BPO industry.

DMTF Cloud Standards Cloud Management & OVF Update to ITU-T SG13.

Dr Igors Ludboržs Member of the European Court of Auditors (ECA) INTOSAI Working Group on Public Debt Helsinki, 11 September 2012.

Security and Personnel

Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

Security Controls – What Works

Chapter 17 Controls and Security Measures

Operational Auditing--Spring Operational Auditing Spring 2008 Professor Bill O’ Brien.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Information Fusion in Continuous Assurance Discussed by Dr. Graham Gal University of Massachusetts at Amherst University of Waterloo Conference on Information.

Operational Auditing Fall 2006 Professor Bill O’ Brien.

Operational Auditing Spring 2002 Professor Bill O’ Brien.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Operational Auditing Spring 2005 Professor Bill O’ Brien.

SOX Compliance Don’t fight what can help you. Skye L. Rogers  9 Years experience working in Systems & Operations in various roles.  4 years focusing.

Information Technology Service Management

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

IA Clinic. การเตรียมการตรวจสอบ แผนการ ตรวจสอบ แผนการ ปฏิบัติงาน ตรวจสอบ หารือ หน่วยรับตรวจ รายงานผล การตรวจสอบ ติดตามผล การตรวจสอบ ผลการประเมินความเสี่ยง.

Internal auditing for credit unions Nuala Comerford, Chair IIA Irish Region Committee Pamela McDonald Council Member IIA Credit Union Summer School Thursday,

The Value of Patient Education Kiosks Jackie A. Smith, Ph.D. April 12, 2000.

Information Security Update CTC 18 March 2015 Julianne Tolson.

IT Control Objectives for Sarbanes-Oxley

C. P. Mansoor S. Ahmed M. Com, PGDBA.  Not confined to Independent Audit  Systematic Examination of  Records  Procedures  Systems  Operations.

Chapter 3 Internal Controls.

Implementing and Auditing Ethics Programs

The CPA Profession Chapter 2 By Arens et. al. Learning Objective 1 Describe the nature of CPA firms, what they do, and their structure.

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

Business Technology Trends Technology WWW : –Intranet, Extranet –E-Commerce Infrastructure –On-line payment, billing, account management, etc. –Customer.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.

1 The Auditor’s Perspective Division of Sponsored Research Research Administration Training Series Presented by: Joe Cannella Audit Manager,

1 IT Control Weaknesses, IT Governance and Firm Performance Efrim Boritz Jee-Hae Lim University of Waterloo UWCISA: October 11-13, 2007, Toronto.

OVERVIEW OF INFORMATION SYSTEM (IS) AUDITING NORHAFIZAH BINTI ABDUL MUDALIP YAP YONG TECK TAN YUAN JUE TAY QIU JIE GROUP MEMBER:

Chapter 1 - Introduction to Accounting Information Systems

IST 2006 – 22/11/2006 Aljosa Pasic Atos Origin Security, Dependability and Trust in Service Infrastructures.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.

Information Assurance Policy Tim Shimeall

Enterprise Risk Management Chapter One Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Nexia International Network versus Association Requirements.

1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.

McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 11 Computer Crime and Information Technology Security.

19-April-02 The effects of auditor type and information system risk on the implementation of continuous monitoring of financial information systems. Richard.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

Continuous Monitoring and Gaining External Audit Reliance.

International Federation of Accountants Audit Quality Don Thomson IESBA Board Meeting New York, USA October 17-19, 2011.

Managing Quality & Risk Week September The Properties of Risk Management Module leader – Tim Rose.

Developing an Audit Program By Rodney Kocot President Systems Control and Security Incorporated Copyright © 2005 Rodney Kocot.

Internal Audit Agency Integrity + Professionalism INTERNAL AUDIT AGENCY ISACA Presentation 15 July, 2013 Alisa Hotel, ACCRA.

Access Control. Assignment Review  Current  Next 6/23/2016 Access Control 2.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Access Control. Assignment Review  Current –You decide what categories you want to include. Just provide the required justification.  Next  Detailed.

Dr. Ir. Yeffry Handoko Putra

CPA Gilberto Rivera, VP Compliance and Operational Risk

Capabilities Matrix Access and Authentication

Chapter 17 Risks, Security and Disaster Recovery

Current ‘Hot Topics’ in Information Security Governance Auditing

Information Technology Service Management

Final HIPAA Security Rule

The Influence of Internal Audit on Information Security Effectiveness

CS 490/CIS 790 Information System Security

Unit 2: Fundamentals of Computer Systems

Certified Information Technology Professional (CITP) Credential

Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham

Presentation transcript:

The Influence of Internal Audit on Information Security Effectiveness October 5, 2013 Perceptions of Internal Auditors Graham Gal With Paul Steinbart, Robyn Rascke, and Bill Dilla

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Outline Previous Work Method and Hypothesis Results Implications

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Previous Work Impact of monitoring on information security – Monitoring of controls reduces risk (R & M 2009) – Monitoring as an enabling process (ITGI 2012) – Relationship between IFOSEC and IA Compliance with SOX (Wallace et al. 2011) Infosec perceptions of effectiveness (Steinbart et al. 2013) Frequency of interaction Knowledge of domain – Incidents – Findings

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Method and Hypothesis Tested Data Collection – Web Based Survey Subjects -42 – Certifications (98%) – Work Experience (74% > 10 years) – Type of firm For profit 82% Across industries 42% financial services 26% Health/Education/Professional Services

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Hypothesis Tested H1: Internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions will be positively related to the number of audit findings related to information security. H2: Internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions will be negatively related to the frequency of security incidents. H3: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be positively associated with internal auditors’ perceptions about the quality of the relationship between the internal audit and information security functions. H4: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be positively associated the number of audit findings related to information security. H5: The frequency of internal audit reviews of various aspects of their organization’s information security activities will be negatively associated with the number and severity of security incidents.

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Relationship Quality Quality of Relationship between information security and internal audit Members of information security and internal audit work together to assure information systems are secure and reliable There is little friction between internal audit and information security The relationship between internal audit and information security staff is close and personal There is a good working relationship between internal audit and information security

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Frequency of Internal Audit Review of Info Security Quality of Relationship between IA and Infosec Top Management Support Outcomes (Findings and Security Incidents) H3 *** H1 & H2 H4 & H5 ***

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Frequency of the Review Internal Audit Reviews of Information Security Topics: Business Continuity and Disaster Recovery Identity and Access Management Logging and System Monitoring Firewalls and Other Network Access Devices Encryption policies (including key management) Backup Procedures Change Management Controls Security Policies

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Frequency of Internal Audit Review Financial Items Quality of Relationship between IA and Infosec Top Management Support Outcomes (Findings) H3a *** H1 & H2 H4a *** Frequency of Internal Audit Review Technical Items H5a *** ***

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Frequency of Internal Audit Review Financial Items Quality of Relationship between IA and Infosec Top Management Support Outcomes (Incidents) H3b *** H1 & H2 H4b Frequency of Internal Audit Review Technical Items H5b ***

University of Waterloo Symposium on Information Integrity and Information Systems Assurance Implications Frequency improved perceptions of quality of relationship – Similar to our previous work – IA mean of overall frequency implies could be more involved Impact on outcomes – Relationship is improved by frequency – No mediated impact on outcomes (findings or incidents) – Decomposed types of reviews “Softer People Oriented” and “Technical” reviews impact findings “Softer People Oriented” and “Technical” reviews do not impact incidents