Affiliation:
1. Faculty of Economics, Business and Tourism University of Split Split Croatia
2. UQ Business School The University of Queensland St Lucia Queensland Australia
3. Hranilnica LON d.d. Kranj Slovenia
Abstract
The aim of this paper is to analyse which factors explain the effectiveness of internal audit in providing assurance about cybersecurity risk management. On the basis of neo‐institutional theory, we hypothesize that coercive (cybersecurity regulation), normative (professionalization of internal auditors and Boards) and mimetic forces (outsourcing of cyber security assurance services) positively contribute to cybersecurity audit (CSA) effectiveness. As these forces do not come about in an interest free model, we study the role of and the interaction with other actors who shape the CSA practices—Boards and security experts. We hypothesize that Board's support to CSA and the level of internal auditors' cooperation with the first and the second line of defence positively affect CSA effectiveness. To test our hypothesis, we conducted a survey involving IT auditors and Chief Audit Executives from various industries, organizations of different sizes and countries. We examined the hypothesized relationships in a series of regression analyses. We find that normative forces (professionalization of the internal auditors and Boards' competences), Board's support to CSA and cooperation between the internal audit function (IAF) and the first two line of defence significantly explain the CSA effectiveness. We find no support for the effect of regulation as a coercive force and outsourcing as a mimetic force. We discuss potential reasons for our findings and their implications. The paper is an original analysis that advances our understanding of key drivers of CSA effectiveness and their relationships.
Reference100 articles.
1. THE DEVELOPMENT OF INTERNAL AUDIT IN SAUDI ARABIA: AN INSTITUTIONAL THEORY PERSPECTIVE
2. Identifying Organizational Drivers of Internal Audit Effectiveness
3. Association of Healthcare Internal Auditors (AHIA) and Deloitte. (2017). “Cyber assurance: How internal audit compliance and information technology can fight the good fight together?” available athttps://ahia.org/assets/Uploads/pdfUpload/WhitePapers/CyberAssuranceWhitePaper.pdf(accessed 15 July 2020)
4. ASX Corporate Governance Council. (2019). “Corporate governance principles and recommendations 4th Edition” available athttps://www.asx.com.au/documents/asx-compliance/cgc-principles-and-recommendations-fourth-edn.pdf(accessed 10 May 2021)