Internal auditing has become increasingly important in current business environments. In this era of the Sarbanes- Oxley Act and other similar legislations, regulatory compliance requires elaborate organizational planning. Auditing helps organizations in internal control assessment, change management, and better governance preparedness, thus enhancing information assurance. Various facets of internal auditing are discussed in this chapter and the role of internal auditing in information assurance is analyzed. Future issues and trends with internal auditing are also presented.
Regulations including the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the USA Patriot Act, and a plethora of others have created an urgency among business organizations for rapid compliance with governmental standards. Internal auditors play an increasingly important role in today’s business scenario, and therefore, have become in great demand. This is clearly evident from the recent surge in the job satisfaction and salary of internal auditors (Oxner & Oxner, 2006). Businesses often use internal auditors as in-house consultants, relying on them for adding value to a wide range of initiatives including management controls, financial reporting, information systems design, and fraud detection. Auditing plays an important role in securing information systems within organizations by including functions such as internal control assessment, controls over financial reporting, designing and implementation of information systems, vulnerability management, risk analysis, segregation of duties, adequacy of business controls, and the physical security of assets.
Recent developments in the regulatory environment have brought significant changes to the organizational outlook regarding internal auditing. Internal auditors are aware of these increased responsibilities and concentrate on discovering new ways of assuring the public about the integrity of organizational reports (Verschoor, 1991). Today’s business environment requires an audit process that supports the continuous assessment of the goals and objectives of information assurance. Organizational strategic goals must be tactically executed with performance measuring capability. For information assurance purposes, there should be close coordination between the audit team, the security team, and the information technology operations (Bunker, 2003).
Information assurance (IA) can be viewed as an objective that involves all of the people, activities, and technologies employed to ensure that the fundamental properties of security—confidentiality, integrity, availability—are met throughout the lifecycle of a system (McEvilley, 2002). IA can be viewed as a process centric phenomenon that is comprehensive enough to include definition, implementation, and verification level operations. IA also includes day-to-day operations and the maintenance of the integrity of systems in such operational transactions. Assurance is subjective in nature and needs to be clearly explained to all involved in the security process.
Increasingly complex auditing functions require auditors to possess a deep knowledge about the organization and its business processes. Auditors should show an adequate understanding of the organizational culture, of the key players in the organization, and of the competitive environment in which the organization exists. Some audit practices that are becoming of heightened importance in today’s context include risk management and risk assessment. Recent research from the Institute of Internal Auditor’s Global Auditing Information Network (GAIN) indicates that given the various tools and techniques currently available to auditing teams, managing risks as well as consulting with management on aligning organizational goals within departments are considered extremely important. Audit functionality plays an important role in securing information systems in organizations by performing functions such as internal control assessment, risk analysis, segregation of duties, adequacy of business controls, and physical security of assets. Process and plan should have a clear statement of roles and responsibilities. An audit is also a means by which to ensure accountability from the management level of organizations. Accountability in management structures ensures better security management since governance objectives of securing informational assets can be reached in a systematic fashion. An accountability map provides security management programs with this critical component (Bunker, 2003).
Key Terms in this Chapter
Internal Control: Internal controls are a means to provide reasonable assurance that an organization will achieve its business objectives while avoiding undesired risks (ISACA, 2004). Internal controls are policies, procedures, practices, and organizational structures put in place to reduce business risks in organizations.
Role of Audit: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (Institute of Internal Auditors, 2006).
IT Governance: IT governance can be defined as the structure of relationships and processes to direct and control the enterprise. IT governance helps the organization achieve its goal by adding value while balancing risk and return over IT and its processes (ISACA, 2004).
Information Systems Security: Information systems security is the process of protecting all information assets from misuse, harm or any other unintended result. This includes securing information in computers, maintaining integrity of business processes, retaining skilled knowledge workers with their implicit knowledge and also encouraging employees to claim ownership of their share of information assets (Dhillon, 2006).
Information Assurance (IA): A process centric phenomenon that is comprehensive enough to include definition, implementation, and verification level operations.