Research: How effective is internal auditors' cyber security assurance?

The European Confederation of Institute of Internal Auditors recognises cyber security (CS) as one of the top five business risks. The recent global pandemic has only intensified it by telecommuting, expanding work environment with videoconferencing software, adding personal devices, and private WiFi networks to organization’s systems. Despite orchestrated efforts in CS risk management, the number of successful attacks is still growing.

Principles of sound risk management warrant that cyber security risk management is organised in the three lines model. Business units together with the information technology function represent the first line. The information security risk management represents the second line of cyber security. An independent assurance that CS risk management strategy, policies, procedures and controls are effective if is provided by the third line the internal audit function (IAF). Yet, many IAFs lack expertise and resources in the area of cyber security.

The aim of this paper is to analyze how effective internal audit of cyber security assurance is. To address this question we develop a Cyber Security Assurance (CSA) Index, composed of three dimensions (planning, performing and reporting). We hypothesize that the three phases of CS assurance are associated, that cyber security assurance is positively related to cyber risk management maturity of an organization and negatively to the probability of a successful cyber-attack. To test our hypotheses, we conducted a survey with 183 IT auditors and Chief Audit Executives from various countries and industries.

We find that cyber security assurance is moderately effective, with a median CSA Index score of 61 on the scale from 0 to 100. While planning and performing CS assurance are strongly positively correlated, each of them is less related to reporting on CS risk management effectiveness to the Board of Directors. CSA Index is positively related to cyber security risk maturity but not to the probability of a cyber-attack. Our paper advances the literature on cyber security risk management and internal audit of that area and has several theoretical contributions and practical implications.

This eBrochure reports the findings of a joint research project of the University of Queensland (Australia) and the University of Split (Croatia) about the effectiveness of cyber security risk assurance. We developed an original Index of CS assurance effectiveness and measured it on a large-scale international sample.

183 of Chief Audit Executives (CAE) and IT auditors from 20 different countries, organizations of various sizes and industries participated in the survey from the end of May 2020 till the beginning of August 2020.