A Perspective on the Evolution of Information System Security Audits: Challenges and Implications
Full text | |||
Source | Journal of Information Systems Security Volume 12, Number 1 (2016)
Pages 45–72
ISSN 1551-0123 (Print)ISSN 1551-0808 (Online) |
||
Authors | Sunita Goel — Siena College, USA
Margaret Garnsey — Siena College, USA
Qi Liu — Siena College, USA
Ingrid Fisher — State University of New York at Albany, USA
|
||
Publisher | Information Institute Publishing, Washington DC, USA |
Abstract
Advances in technology have made it possible to capture vast amounts of financial and non-financial information, whilst at the same time shifting more control from the producers and assurers of information to the recipients of information. As a result, threats to Information System (IS) have grown exponentially, which has made IS security audits even more cumbersome. Assessing the effectiveness of internal controls is an important objective of an IS audit, which is distinct from a financial audit that deals with the accuracy of financial statements. Security auditing has been a part of the auditing profession since the late 1970’s, when information technology was first leveraged at a mass scale in organizations for improving efficiency and productivity. Over time, however, as technology has advanced, audits have become increasingly cumbersome. Rapid innovation in technology has forced the auditing profession to lag behind trying desperately to catch up with technology. In this paper, we examine the evolution of IS security auditing and discuss how technology is impacting the audit profession.
Keywords
Information System Security, Security Audits, Audit Tools, Security Controls, Audit Failures
References
AICPA. 2013. North America Top Technology Initiatives for CPS’s Survery-2013. Available at: http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/ TopTechnologyInitiatives/Pages/2013TTI.aspx
Alles, M., Kogan A., Vasarhelyi M. A., Warren J. D. 2007. BNA Accounting Policy & Practice Portfolios Portfolio 5405 Continuous Auditing. Accounting Policy & Practice Series. ISSN 1933-0243
Alles, M.G., Kogan, A., Vasarhelyi, M. A. 2002. Feasibility and Economics of Continuous Assurance, Auditing: A Journal of Practice & Theory 21 (1): 125-138.
Arraj, V. 2013. ITIL: the basics. AXELOS Limited
Auditing Standards Committee, AICPA. 1974. SAS No. 3, The Effects of EDP on the Auditor's Study and Evaluation of Internal Control. In AICPA (Ed.). New York: AICPA.
Auditing Standards Committee, AICPA. 1984. The Effects of Computer Processing on the Examination of Financial Statements. In AICPA (Ed.), (pp. 9). New Yotk: AICPA.
Auditing Standards Committee, AICPA. 1988. SAS No. 56 Analytical Procedures. In AICPA (Ed.). New York: AICPA.
Auditing Standards Committee, AICPA. 1995. SAS No. 78 Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55. In AICPA (Ed.). New York: AICPA.
Auditing Standards Committee, AICPA. 2001. SAS NO. 94: The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit. In AICPA (Ed.). New York: AICPA
Beasley, M. S., Carcello, J. V., Hermanson, D. R., Neal, T. L. 2010. Fraudulent Financial Reporting: 1998-2007: COSO.
Beresford, Dennis R., Katzenback, Nicholas deB., Rogers, C. B. 2003. Report of the investigation by the Special Investigative Committee of the Board of Ditectors of WorldCom, Inc.
Best, P. J., Mohay, G., Alison, A. 2004. Machine-Independent Audit Trail Analysis – A Decision Support Tool for Continuous Audit Assurance. International Journal of Intelligent Systems in Accounting, Finance & Management 12 (2): 85-102.
Byrnes, P. E., Ames, B., Vasarhelyi, M., Warren, Donald, J. 2012. The Current State of Continuous Auditing and Continuous Monitoring.
Campbell, K., Gordon, L. A., Loeb M. P., Zhou, L. 2003. The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, 12: 431-448.
Chou, C. L.-Y., Du, T., Lai, V. S. 2007. Continuous auditing with a multi-agent system. Decision Support Systems 42: 2274–2292.
COSO. 1992. Internal Control-Integrated Framework. Jersey City, NJ: AICPA.
COSO. 2013. The 2013 COSO Framework and SOX Compliance. Available at: http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf
Deloitte. 2014. The 2013 COSO Framework and the Audit Committee. Available at: http://deloitte.wsj.com/riskandcompliance/2014/03/13/the-2013-coso-framework-and-the-audit-committee/tab/print/
Denning, D. E. 1987. An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13 (2): 222-232.
Dowell, C. and Ramstedt, P. 1990. The COMPUTERWATCH Data Reduction Took. Proc. 13th National Computer Security Conference, Baltimore, MD, October: 99-108
EDPACS. 1976. Auditor's Responsibility for EDP Controls Extended by Courts. EDPACS: the EDP audit, control and security newsletter 4(5): 8-9
FDIC. 1999. Risk Assessment Tools and Practices for Information System Security. Available at: https://www.fdic.gov/news/news/financial/1999/FIL9968a.HTML
FTC. 2013. Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business. Available at: http://www.business.ftc.gov/documents/bus23-fighting-identity-theft-red-flags-rule-how-guide-business
Gary, H. 2007. The State of IT Auditing in 2007. EDPACS: the EDP audit, control and security newsletter: 13-28.
Gupta, P.P. 2008. Management's Evaluation of Internal Controls under Section 404(a) using the COSO 1992 Control Framework: Evidence from Practice. International Journal of disclosure and Governance 5(1): 48-69.
Haines, J. W., Lippmann, R. P., Fried, D. J., Tran, E., Boswell, S., Zissman, M. A. 2001. 1999 DARPA Intrusion Detection System Evaluation: Design and Procedures. MIT Lincoln Laboratory Technical Report.
Hayes, B. 2003. Conducting a Security Audit: An Introductory Overview. Available at: http://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview
Hinson, G. 2007. The State of IT Auditing in 2007, EDPACS, 36:1, 13-31
IIA. The role of internal auditing in enterprise-wide risk management 2009 https://na.theiia.org/standards-guidance/Public%20Documents/PP%20 The%20Role%20of%20Internal%20Auditing%20in%20Enterprise%20Risk%20 Management.pdf
ITGI. 2008. Aligning COBIT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit.
Janvrin, D.J., Payne, E. A., Byrnes, P., Schneider, G. P., Curtis M.B. 2012. The Updated COSO Internal Control—Integrated Framework: Recommendations and Opportunities for Future Research. Journal of Information Systems 26 (2): 189-213.
Jans, M., Alles, M., Vasarhelyi, M. 2014. A field study on the use of process mining of event logs as an analytical procedure in auditing. The Accounting Review 89 (5): 1751-1773
Johnson, J., Lincke, S. J., Imhof, R., Lim, C. 2014. A comparison of international information security regulations. Interdisciplinary Journal of Information, Knowledge, and Management, 9, 89-116. Available at: http://www.ijikm.org/Volume9/IJIKMv9p089-116Johnson0798.pdf
Kauffman, R.J., Lee, Y. J., Prosch, M., Steinbart, P. J. 2011. A Survey of Consumer Information Privacy form the Accounting Information Systems Perspective. Journal of Information Systems 25 (2): 47-79.
Klamm, B.K. and Watson, M. W. 2009. SOX 404 Reported Internal Control Weaknesses: A Test of COSO Framework Components and Information Technology. Journal of Information Systems 23 (2): 1-23.
Kuhn, J., Randel, Sutton, Steve, G. 2006. Learning from WorldCom: Implications for Fraud Detection through Continuors Assurance. Journal of Emerging Technologies in Accounting, 3, 61-81
Langelier, C. and Ingram, J. 2001. Security and Privacy in the Age of Uncertainity. National State Auditors Association and the U.S. Accounting Office: Management Planning Guide Information System Security Auditing.
Li, H., Tian, X., Wei, W., Sun, C. 2012. A Deep Understanding of Cloud Computing Security. Network Computing and Information Security: 98-105. Springer Berlin Heidelberg.
Lin, H., Cefaratti, M., Wallace L. 2012. Enterprise Risk Management, COBIT, and ISO27002: A conceptual analysis. Internal Auditing 27(2): 3-12.
Lineberry, S. 2007. The human element: The weakest link in information security. Journal of Accountancy, 204(5): 44.
Lord, S. 2013. An overview of COSO’s 2013 Internal Control-Integrated Framework. Available at: http://mcgladrey.com/content/dam/mcgladrey/ pdf/wp_coso_2013_internal_control_integrated_framework.pdf
Morency, J. 2005. Best Practice, Practice, Practice. Network World, 22(1).
Nigrini, M. J. and N. Mueller. 2014. Lessons from an $8 million fraud. Journal of Accountancy, August 2014.
Nottingham, C. 1976. Conceptual Framework for Improved Computer Audits. Accounting and Business Research 6(22): 140-148.
Onwubiko, C. 2009. A security audit framework for security management in the enterprise. Commun Inform Sci 45:9–17, Springer.
Parker, D. B., 1998. Fighting Computer Crime: a New Framework for Protecting Information, John Wiley and Sons, Inc., New York, NY.
Ponemon Institute. 2011. 2010 Annual Study: Global Cost of a Data Breach, Symantec Corporation.
Popescu, G., Popescu, V. A., Popescu, C. R. 2007. Information System Security Audit. Manager Journal 6: 81-88
Praxiom Research Group. 2013. ISO IEC 27001 2013 Plain English Introduction. Available at: http://www.praxiom.com/iso-27001-intro.htm
Pritchard, J. 1978. Computer security – what is the auditor’s role? Accountancy 89.1023 (Nov. 1978), 81-82
Pugliese, A. J. and Halse, R. 2000. Systrust and Webtrust: technology assurance opportunities. CPA Journal, 70 (11): 28-33
PWC. 2014. The Global State of Information Security Survey 2014. In PWC (Ed.): International Data Group, Inc.
Radovanovic, D., Radojevic, T., Lucic, D., Sarac, M. 2010. Analysis of Methodology for IT Governance and Information Systems Audit. Paper presented at the 6th International Scientific Conference Business and Management 2010, Vilnius.
Rasheed, H. 2014. Data and infrastructure security auditing in cloud computing environments. International Journal of Information Management 34: 364-368.
Rees, J., Bandyopadhyay, S., Spafford, E. H. 2003. PFIRES: a policy framework for information security. Communications of the ACM-A game experience in every application 46 (7): 101-106.
SEC. 2011. CF Disclosure Guidance: Topic No. 2. Available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
SEC. 2013. The Investor’s Advocate: How the SEC Protects Investors, Maintains Market Integrity and Facilitates Capital Formation. Available at: http://www.sec.gov/about/whatwedo.shtml#.VDgk7hZO26s
SEC. 2014a. Examination Priorities for 2014. Available at: http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf
SEC. 2014b. Office of Compliance Inspections and Examinations’ Cybersecurity Initiative. Available at: http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+
Alert++%2526+Appendix+-+4.15.14.pdf
Sheaffer, Z., Richardson, B., Rosenblatt, Z. 1998. Eary-Warning-Signals Management: A Lesson from the Barings Crisis. Journal of Contingencies and Crisis Management 6(1): 1-22.
Singleton, T., Flesher, D. L., Cassidy, J. 1993. The origins of EDP auditing in North America. The EDP Auditor Journal 3: 52-62.
Stoneburner, G., Goguen, A., Feringa, A., 2002. Risk Management Guide for Information Technology Systems. Nat’l Inst. Of Standards and Technology, US Dept. of Commerce, 2002: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Sun, L., Srivastava, R. P., Theodore, J. M. 2006. An Information System Security Risk Assessment Model under the Dempster-Shafer Theory of Belief Functions. Journal of Management Information System 22 (4) 109-142.
Teng, H. S., Chen, K., Lu, S.C.Y. 1990. Security audit trail analysis using inductively generated predictive rules. Sixth Conference on Artificial Intelligence Applications 24-29.
White, A. 2012. PwC fined record L1.4mover JP Morgan audit. The Telegraph: http://www.telegraph.co.uk/finance/newsbysector/supportservices/8995981/PwC-fined-record-1.4m-over-JP-Morgan-audit.html Accessed: 5/21/2015
Zhou, L. 2004. The Value of Security Audits, Asymmetric Information and Market Impact of Security Breaches.