Bridging the gap: How internal audit and IT can work together to improve information security
In many organizations, the internal audit and information security functions can't seem to get on the same communication wavelength. For companies interested in improving their information security infrastructure, however, this is a disconnect that must be fixed, according to information systems Professor Paul Steinbart. In a keynote address at a recent International Conference on Accounting and Information Technology meeting, Steinbart told his audience that preventative information security is almost always more effective than corrective or detective information security. And, he says, internal audit can play a hugely valuable role in the creation of an effective preventative IT strategy.
Internal auditors and information security professionals don't always get along, and it's not really all that difficult to figure out why.
"They just have different cultures and different backgrounds," W. P. Carey Professor of information systems Paul Steinbart explains. "I mean, when you think about it, most information security people have a computer science-type background with very little business focus. Meanwhile, on the internal auditing side, it's all about accounting and business with maybe just a smattering of IT."
To put it another way, internal auditors, the people charged with ensuring that companies are running in the most efficient way possible, and information security staffers, the people charged with protecting their companies' electronic data, simply don't have much -- if anything -- in common.
They don't have the same training. They don't have the same responsibilities. They don't speak the same language.
Steinbart understands the gulf between these two groups. In his work over the years with organizations of all kinds, he's witnessed first-hand the often palpable tension between them. It is a real tension, he says -- and a real problem.
But it's a problem Steinbart believes must be fixed -- must be fixed, that is, in the interest of better information security.
In a new line of research aimed at bridging the gulf between internal audit and information security, Steinbart aims to find hard data that will back up his belief that internal auditors and IT staff can work together effectively, and in so doing, significantly enhance their company's overall information security structure. These disparate groups of professionals may not speak the same language, Steinbart says, and they may often find themselves butting heads, but the reality is, they do have a common interest: The well-being of their company.
"If you go to an information security conference you'll hear all kinds of anecdotal stories about the arms-length, dysfunctional relationships out there between IT and internal audit," says Steinbart, co-author of a widely-used textbook called "Accounting Information Systems."
"The IT people maybe look down on internal audit and say, 'You guys don't know what you're doing.' The internal audit people are more interested in assessing the overall business processes, and so many of them may view this IT stuff as a 'necessary evil.' But the problem in cases like this is that the organization, then, doesn't get the full potential benefits of having those two functions work more closely together."
Different viewpoints, common interests
And, yes, Steinbart says, there are benefits to be had -- significant benefits, actually. The only question is whether organizations -- and the groups themselves -- are willing to put forth the effort to bring those benefits to fruition.
Earlier this year, Steinbart traveled to the National Chung Cheng University in Chiayi, China, for the International Conference on Accounting and Information Technology (ICAIT), which gathered top professionals from both academia and business to discuss risk management, globalization issues, cloud computing, the implementation of IFRS (International Financial Accounting Standards) and other issues with important implications for both accounting and IT.
"As the title of the conference implies, it was all about the intersection of accounting and IT issues," Steinbart says. It was a perfect audience for Steinbart's message, delivered in his keynote, "Audit's Role in Creating an Effective Security Program."
"My focus was on the idea that, traditionally, the accounting folks and IT folks don't generally see eye to eye," says Steinbart. "In fact, recently there was a whitepaper [about the topic] from PriceWaterhouseCoopers, with the title 'Are CFOs from Mars & CIOs from Venus?' ? that paper just shows that internal audit and security have the same disconnect as there is in the broader IT/accounting community.
For companies interested in improving their information security infrastructure, however, this is a disconnect that, according to Steinbart must be fixed. As he told his ICAIT audience, preventative information security is almost always more effective than corrective or detective information security. And Steinbart says that internal audit can play a hugely valuable role in the creation of an effective preventative IT strategy.
When internal audit groups approach information security properly they are uniquely qualified to offer the kind of "actionable feedback" that can help information security strengthen existing security systems and fix problem areas before they are exploited.
How to get there? Pretty simple, Steinbart says. In fact, he's created a simple list of do's and don'ts -- rules that he says can keep internal audit on the right track in the realm of information security:
- Internal audit shouldn't focus on "compliance," but rather "process improvement"
- Internal audit shouldn't act as "policeman," but rather as "partner."
- Internal audit shouldn't engage in "periodic assessment," but rather "continuous assessment."
Latest news
- Lab lessons: Modern Grind brews up expansion with help from ASU
Avondale's coffee, tea, and health drink drive-thru partners with the SMB Lab to empower…
- Lab lessons: Roadcase.com VP shares how ASU's SMB Lab fueled growth and efficiency
The Arizona-based audio/visual equipment case manufacturer gets expert guidance on improving…
- Best installment loans
Loans should be prioritized by their ability to improve human capital, says an ASU finance…