This case examines the process that organizations follow during a security audit by external auditors. The audit process usually consists of several phases, starting with preparing for an audit, working with the auditors, and finally implementing auditor recommendations to fill gaps in the policies and procedures. Typically, auditors examine organizational policies in context of current industry standards to identify gaps in the policy. The policy implementation is then reviewed through analysis of data in logs, interviews with personnel, and occasionally using penetration testing on the network. While this is a routine process, it can be stressful for security officers who consider weaknesses in organizational security as personal failures. As a result, an adversarial relationship if often formed between auditors and the security officers. Most past studies have focused on the role and conduct of an auditor in the audit process. The purpose of this paper is to help security officers prepare for an audit with a systems approach that reduces subjectivity. Best practices are elucidated through the case of an audit in a large educational institution. The processes and procedures laid out are not limited to educational institutions and are appropriate for any domain. Proper preparation will assist organizations in using an audit constructively for improving their organizational security posture. This paper presents a methodical approach for a security officer to follow during the security audit of the organization in context of a large public university.

Accounting and Information Management Division. United States General Accounting Office. (1999). Federal Information System Control Manual. United States General Accounting Office, 1-278.

Alberts, C., and Dorofee, A., (2003). Managing Information Security Risks: The Octave Approach, New York, NY: Pearson Education Inc.

Barber, B., and Davey, J. (1992). The Use Of The CCTA Risk Analysis And Management Methodology CRAMM. Proceedings of the Seventh World Congress on Medical Informatics. (pp. 1589-1593). North Holland: Elsevier.

Bishop, M. (2002). Computer Security: Art and Science. New York, NY: Addison-Wesley Professional.

Costouros, G.J. (1978). Auditing in the Athenian state of the golden age (300-500 B.C.). The Accounting Historians Journal, 5(1), 41-50.

Davis, H.Z. (1981). Note on the first recorded audit in the Bible. The Accounting Historians Journal, 8(1), 71-72.

de Rutyer, K., and Wetzels, M. (1998). Commitment in auditor-client relationships: antecedents and consequences. Accounting, Organization, and Society, 24, 57-75.

Dimitrakos, T., Rithie, B., Rapis, D. & Stolen, K. (2002). Model Based Security Risk Analysis for Web Applications: The CORAS Approach. Proceedings of the Euroweb 2002 Conference, The Web and the GRID: from e-science to e-business.

Gallegos, F., Senft, S., Manson, D.P., and Gonzales, C. (2004). Information Technology Control and Audit, Second Edition. Boca Raton, FL: CRC Press LLC.

Goel, S. & Chen, V. (2005). Information Security Risk Analysis - A Matrix-Based Approach. Proceedings of the Information Resource Management Association (IRMA) International Conference, San Diego, CA.

Janczewski, L. (2000). Internet and Intranet Security Management: Risks and Solutions. Hershey, PA: Idea Group Publishing.

Legal and Reporting Issues Work Group. Intergovernmental Information Security Audit Forum. (2003). Information systems security auditing: legal and reporting considerations. National Association of State Auditors, Comptrollers, and Treasurers; the National Association of Local Government Auditors; the U.S. General Accounting Office; and U.S. Inspectors General, 1-36.

MacLullich, K.K. (2003). The emperor’s ‘new’ clothes? New audit regimes: insights from Foucault’s technologies of the self. Critical Perspectives on Accounting, 14, 791-811.

Management Planning Guide Committee. Joint Information Systems Security Audit Initiative. (2001). Management Planning Guide for Information Systems Security. National State and Auditors Association and U.S. General Accounting Office, 1-60.

McDonald, J.C. (1992). Public networks- dependable? IEEE Communications, 30(4), 110-112.

National Institute of Standards and Technology (NIST). An Introduction To Computer Security: The NIST Handbook. National Institute of Standards and Technology (NIST) Special Publication 800-12, U.S. Government Printing Office, October 1995.

Ozier, W. (1989). Risk Quantification Problems and Bayesian Support Systems Solutions. Information Age, 11(4), 229-234.

Palmrose, Z-V., and Saul, R.S. (2001). The push for auditor independence. Regulation, 24(Winter), 18-23.

Parker, D.B. (1981) Managers Guide to Computer Security. Reston, VA: Prentice-Hall, Inc

Peltier, T.R. (2001). Information Security Risk Analysis. New York, NY: Auerbach Publications.

Pfleeger, C.P. and Pfleeger, S.L., (2003) Security in Computing, Upper Saddle River, NJ: Prentice Hall PTR.

Ridley, G., Young, J., and Carroll, P. (2004). COBIT and Its Utilization: A Framework from the Literature. Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS’04), 80233.

Stoneburner, G., Goguen, A., and Feringa, A. (2001). A Risk Management Guide For Information Technology Systems: Recommendations Of The National Institute Of Standards And Technology. National Institute of Standards and Technology (NIST) Special Publication 800-30, U.S. Government Printing Office.

United States of America vs. Arthur Andersen, LLP. (2001). T. 18, U.S.C., §§ 1512(b)(2) and 3551 et seq.

Woodruf, J., and Searcy, D. (2001). Continuous audit implications of Internet technology: triggering agents over the web in the domain of debit covenant compliance. Proceedings of the 34th Hawaii International Conference on System Sciences.