Cybersecurity in the IT audit : A study among IT auditors on their judgment and decision making.
De Bie, Dennis (2019-08-23)
Cybersecurity in the IT audit : A study among IT auditors on their judgment and decision making.
(23.08.2019)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
suljettu
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe202001243285
https://urn.fi/URN:NBN:fi-fe202001243285
Tiivistelmä
Information technology (IT) auditors use professional judgment to make decisions during their work. Their professional judgment and decision making is influenced by several factors. Additional-ly, society increasingly expects IT auditors to include cybersecurity in their work. This study identi-fies the factors that IT auditors rely on when making judgment and decisions on cybersecurity, as part of their IT auditing work. During interviews with IT auditors, it is determined which factors could be improved, which factors are considered most often, and what can be done to improve pro-fessional judgment and decision making when including cybersecurity in the IT auditor’s work. IT auditors are engaged in several types of assignments. This study focuses mainly on the IT audit en-gagement that occurs during the financial statement audit.
This study uses design based research to construct a model that visualizes the IT audit process. Professional judgment and decision making factors that are being used in this process are linked to the model. This model is tested in interviews with IT auditors. Several iterations are constructed. The final model represents the IT audit process, and systematizes the professional judgment and decision making factors that are influence each step in this process.
The study found that the professional judgment and decision making factors that have been iden-tified by prior research are not sufficient to explain the judgment and decision making that happens when cybersecurity is involved in the IT audit. When considering cybersecurity, IT auditors rely on two types of knowledge; client and technical. Furthermore, society expects IT auditors to include cybersecurity in their work, which affects their judgment and decision making.
Another significant finding is that IT auditors consider it challenging to determine the norms that they should apply in their work. Since cybersecurity is relatively new to the IT audit, it is unclear to practitioners which level of assurance they should provide on cybersecurity controls. The study con-cludes with recommendations that help IT auditors when including cybersecurity in their work.
This study uses design based research to construct a model that visualizes the IT audit process. Professional judgment and decision making factors that are being used in this process are linked to the model. This model is tested in interviews with IT auditors. Several iterations are constructed. The final model represents the IT audit process, and systematizes the professional judgment and decision making factors that are influence each step in this process.
The study found that the professional judgment and decision making factors that have been iden-tified by prior research are not sufficient to explain the judgment and decision making that happens when cybersecurity is involved in the IT audit. When considering cybersecurity, IT auditors rely on two types of knowledge; client and technical. Furthermore, society expects IT auditors to include cybersecurity in their work, which affects their judgment and decision making.
Another significant finding is that IT auditors consider it challenging to determine the norms that they should apply in their work. Since cybersecurity is relatively new to the IT audit, it is unclear to practitioners which level of assurance they should provide on cybersecurity controls. The study con-cludes with recommendations that help IT auditors when including cybersecurity in their work.