Internal auditing has become increasingly important in current business environments. In this era of the Sarbanes- Oxley Act and other similar legislations, regulatory compliance requires elaborate organizational planning. Auditing helps organizations in internal control assessment, change management, and better governance preparedness, thus enhancing information assurance. Various facets of internal auditing are discussed in this chapter and the role of internal auditing in information assurance is analyzed. Future issues and trends with internal auditing are also presented.
Regulations including the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the USA Patriot Act, and a plethora of others have created an urgency among business organizations for rapid compliance with governmental standards. Internal auditors play an increasingly important role in today’s business scenario, and therefore, have become in great demand. This is clearly evident from the recent surge in the job satisfaction and salary of internal auditors (Oxner & Oxner, 2006). Businesses often use internal auditors as in-house consultants, relying on them for adding value to a wide range of initiatives including management controls, financial reporting, information systems design, and fraud detection. Auditing plays an important role in securing information systems within organizations by including functions such as internal control assessment, controls over financial reporting, designing and implementation of information systems, vulnerability management, risk analysis, segregation of duties, adequacy of business controls, and the physical security of assets.
Recent developments in the regulatory environment have brought significant changes to the organizational outlook regarding internal auditing. Internal auditors are aware of these increased responsibilities and concentrate on discovering new ways of assuring the public about the integrity of organizational reports (Verschoor, 1991). Today’s business environment requires an audit process that supports the continuous assessment of the goals and objectives of information assurance. Organizational strategic goals must be tactically executed with performance measuring capability. For information assurance purposes, there should be close coordination between the audit team, the security team, and the information technology operations (Bunker, 2003).
Information assurance (IA) can be viewed as an objective that involves all of the people, activities, and technologies employed to ensure that the fundamental properties of security—confidentiality, integrity, availability—are met throughout the lifecycle of a system (McEvilley, 2002). IA can be viewed as a process centric phenomenon that is comprehensive enough to include definition, implementation, and verification level operations. IA also includes day-to-day operations and the maintenance of the integrity of systems in such operational transactions. Assurance is subjective in nature and needs to be clearly explained to all involved in the security process.
Increasingly complex auditing functions require auditors to possess a deep knowledge about the organization and its business processes. Auditors should show an adequate understanding of the organizational culture, of the key players in the organization, and of the competitive environment in which the organization exists. Some audit practices that are becoming of heightened importance in today’s context include risk management and risk assessment. Recent research from the Institute of Internal Auditor’s Global Auditing Information Network (GAIN) indicates that given the various tools and techniques currently available to auditing teams, managing risks as well as consulting with management on aligning organizational goals within departments are considered extremely important. Audit functionality plays an important role in securing information systems in organizations by performing functions such as internal control assessment, risk analysis, segregation of duties, adequacy of business controls, and physical security of assets. Process and plan should have a clear statement of roles and responsibilities. An audit is also a means by which to ensure accountability from the management level of organizations. Accountability in management structures ensures better security management since governance objectives of securing informational assets can be reached in a systematic fashion. An accountability map provides security management programs with this critical component (Bunker, 2003).