Internal Audit
advertisement
Relationship between Internal Audit & Information Security Cosmin SERBANESCU Internal Control Institute © Copyright Internal Control Institute™ An audit a year, keeps you at clear! Page 2/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Myth & Fact Myth The Internal Audit and Information Security functions should work together synergistically. Page 3/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Myth & Fact Key responsibilities (i) Information Security Staff • designs, implements, and operates various procedures and technologies to protect the organization’s information resources. (ii) Internal Audit • provides periodic feedback concerning effectiveness of those activities along with recommendations for improvement. Page 4/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Myth & Fact Fact Practical job experience, however, suggest that the two functions do not always have a harmonious relationship. Page 5/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Information Security Information Security • protects an organization’s resources, • ensures the reliability of its financial statements and other managerial reports (AICPA). COBIT (ITGI) stresses that it is a component of management’s governance responsibilities to design and implement a cost-effective information security program. Page 6/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Potential effect of internal audit on information systems security Page 7/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Factors to be considered Statement 1 Internal audit’s level of IT knowledge directly affects the quality of the relationship between internal audit (IA) and information security (IS). Higher levels of technical IT knowledge (ex. CISA, CISSP) result in deeper and more effective relationships between the two functions. Page 8/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Factors to be considered Statement 2 Internal audit’s communications skills directly affect the level of cooperation between IA and IS. Clearly defining the scope and purpose of an audit results in more cooperation and increased trust by the information systems security function. Page 9/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Factors to be considered Statement 3 Internal audit’s attitude directly affects the level of cooperation between IA and IS. When internal audit has a “partnering” or “process improvement” attitude, there will be a higher level of trust and cooperation. When internal auditing has a “policeman” attitude, there will be less cooperation. Page 10/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Factors to be considered Statement 4 Top management influences the nature of the relationships. Specifically, when the CAE and security executives have a “partnering” attitude the relationship between their staff will be much more collaborative than when the relationship between the executives responsible for each function is less positive. Page 11/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Factors to be considered Statement 5 Organizational characteristics, such as the nature of any regulatory compliance communications channels, requirements affect the and nature formal of the relationship. Page 12/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Factors to be considered Statement 6 A collaborative relationship increases user compliance with the organization’s information security policies and procedures. Moreover, it improves the effectiveness of internal audit by directing attention to the highest-risk areas. Page 13/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Conclusions • Monitoring is an integral component of effective internal control system (COSO-ERM). • Regular monitoring of information security controls can improve the overall effectiveness of an organization’s information security program. • Although monitoring of information security controls is done by the information security function, additional benefits may accrue when supplemented with review by internal audit. Page 14/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Conclusions • The benefits of such independent feedback depend upon: (a) (b) (c) (d) the level of IT knowledge possessed by internal auditors, perception of their role (ex. policeman versus trusted advisor), top management support, and organizational characteristics. Page 15/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™ Questions & Answers Session Page 16/17 Relationship between Internal Audit & Information Security © opyright Internal Control Institute ™ Thank you ! Cosmin SERBANESCU For more information on upcoming training courses, certification exams and news from the Internal Control Institute you may: a) contact the author - cosmin.serbanescu@internalcontrolinstitute.ro or b) visit the website - www.internalcontrolinstitute.ro Page 17/17 Relationship between Internal Audit & Information Security © Copyright Internal Control Institute ™
