Tina Vuko, Sergeja Slapničar, Marko Čular, Matej Drašček
{"title":"Key drivers of cybersecurity audit effectiveness: A neo‐institutional perspective","authors":"Tina Vuko, Sergeja Slapničar, Marko Čular, Matej Drašček","doi":"10.1111/ijau.12365","DOIUrl":null,"url":null,"abstract":"The aim of this paper is to analyse which factors explain the effectiveness of internal audit in providing assurance about cybersecurity risk management. On the basis of neo‐institutional theory, we hypothesize that coercive (cybersecurity regulation), normative (professionalization of internal auditors and Boards) and mimetic forces (outsourcing of cyber security assurance services) positively contribute to cybersecurity audit (CSA) effectiveness. As these forces do not come about in an interest free model, we study the role of and the interaction with other actors who shape the CSA practices—Boards and security experts. We hypothesize that Board's support to CSA and the level of internal auditors' cooperation with the first and the second line of defence positively affect CSA effectiveness. To test our hypothesis, we conducted a survey involving IT auditors and Chief Audit Executives from various industries, organizations of different sizes and countries. We examined the hypothesized relationships in a series of regression analyses. We find that normative forces (professionalization of the internal auditors and Boards' competences), Board's support to CSA and cooperation between the internal audit function (IAF) and the first two line of defence significantly explain the CSA effectiveness. We find no support for the effect of regulation as a coercive force and outsourcing as a mimetic force. We discuss potential reasons for our findings and their implications. The paper is an original analysis that advances our understanding of key drivers of CSA effectiveness and their relationships.","PeriodicalId":47092,"journal":{"name":"International Journal of Auditing","volume":"75 1","pages":""},"PeriodicalIF":2.1000,"publicationDate":"2024-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Auditing","FirstCategoryId":"91","ListUrlMain":"https://doi.org/10.1111/ijau.12365","RegionNum":4,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"BUSINESS, FINANCE","Score":null,"Total":0}
引用次数: 0
Abstract
The aim of this paper is to analyse which factors explain the effectiveness of internal audit in providing assurance about cybersecurity risk management. On the basis of neo‐institutional theory, we hypothesize that coercive (cybersecurity regulation), normative (professionalization of internal auditors and Boards) and mimetic forces (outsourcing of cyber security assurance services) positively contribute to cybersecurity audit (CSA) effectiveness. As these forces do not come about in an interest free model, we study the role of and the interaction with other actors who shape the CSA practices—Boards and security experts. We hypothesize that Board's support to CSA and the level of internal auditors' cooperation with the first and the second line of defence positively affect CSA effectiveness. To test our hypothesis, we conducted a survey involving IT auditors and Chief Audit Executives from various industries, organizations of different sizes and countries. We examined the hypothesized relationships in a series of regression analyses. We find that normative forces (professionalization of the internal auditors and Boards' competences), Board's support to CSA and cooperation between the internal audit function (IAF) and the first two line of defence significantly explain the CSA effectiveness. We find no support for the effect of regulation as a coercive force and outsourcing as a mimetic force. We discuss potential reasons for our findings and their implications. The paper is an original analysis that advances our understanding of key drivers of CSA effectiveness and their relationships.
期刊介绍:
In addition to communicating the results of original auditing research, the International Journal of Auditing also aims to advance knowledge in auditing by publishing critiques, thought leadership papers and literature reviews on specific aspects of auditing. The journal seeks to publish articles that have international appeal either due to the topic transcending national frontiers or due to the clear potential for readers to apply the results or ideas in their local environments. While articles must be methodologically and theoretically sound, any research orientation is acceptable. This means that papers may have an analytical and statistical, behavioural, economic and financial (including agency), sociological, critical, or historical basis. The editors consider articles for publication which fit into one or more of the following subject categories: • Financial statement audits • Public sector/governmental auditing • Internal auditing • Audit education and methods of teaching auditing (including case studies) • Audit aspects of corporate governance, including audit committees • Audit quality • Audit fees and related issues • Environmental, social and sustainability audits • Audit related ethical issues • Audit regulation • Independence issues • Legal liability and other legal issues • Auditing history • New and emerging audit and assurance issues