The Influence of Internal Audit on Information Security effectiveness: Perceptions of Internal Auditors Ray Henrickson CA CPA CISA VP Information Systems and Technology Audit The Bank of Nova Scotia

2 Background System environment – Complex, integrated systems Millions of transactions a day +1,000 systems Multiple IT channels – +150 people in information security area – Large security budget – Comprehensive and sophisticated security controls – Industry cooperation and collaboration Business environment – Highly desirable target – Extensive collaboration with third parties – The bad guys are really clever

3 Tried to link perceptions of relationship to quantitative outcomes Sample Population – Majority of respondents are in regulated businesses. Although no indication of the size of the organization or the size of the security function/budget. – Demographics – professionally experienced and skilled audit population. The study recognized and effectively dealt with inherent limitations – small sample size, cross sectional vs longitudinal study Positives

4 Relatively small number of findings and incidents reported Number of security-related audit findings had decreased over the past three years Number of security incidents in the past year had slightly decreased from what it was three years earlier Surprises

5 Quality of RelationshipAudit findings Security Incidents Frequency of Audit Relationship Frequency of AuditAudit findings Security Incidents Study Results

6 Quality of the relationship – The factors that underpin Frequency of audit – Difficult to link some of the identified areas to security Security incident – What is a security incident? – malware, identify theft, phishing, code level deficiency such as cross-site scripting of SQL injection, loss/theft of asset, man-in-the-middle/browser, DDOS, mobile computing, economic espionage, end user computing, segregation of duties, etc. Audit finding – What is the significance? What is the root cause of the finding – not doing the right thing or not doing things right? Consider – Definitions

7 To understand the auditors’ views on the choices and risk ranking of security vs other functional areas To assess the significance of the security issues and audit findings – Not all issues and findings are of equal significance Consider – Risk

8 Quality of relationship and frequency of audit don’t seem to relate to number of findings or number of security incidents but may be related to something else: Audit efficiency Audit scope and objectives Relevance of issues and recommendations Quality of reporting Supplemental analysis confirmed it is easier to find issues with the people than the technology. My Takeaways

9 No conclusion on how Internal Audit positively influences the effectiveness of information security Results may indicate that auditor independence and objectivity is not influenced by Quality of Relationship or Frequency of audit Both Audit and Information Security are working independently and collaboratively towards same objective – improved information security My Takeaways

10 Value of the Work Identifies some factors associated with relationships in the audit environment. Findings likely apply to other audit relationships. Suitable as a starting point for future studies by IS Assurance academics

11 Future Research Use different performance metrics Clarity of definition of terms More information on the size of the organization, the size of the security and the audit functions More granular information on nature and significance of audit issues Consider the organization’s assessment of risk Validate the survey in advance with an internal audit practitioner