IT security auditing: A performance evaluation decision model

a r t i c l e i n f o Keywords: Information technology management Information technology audit Information systems audit Information security audit Audit decision Agency model Compliance with ever-increasing privacy laws, accounting and banking regulations, and standards is a top priority for most organizations. Information security and systems audits for assessing the effectiveness of IT controls are important for proving compliance. Information security and systems audits, however, are not mandatory to all organizations. Given the various costs, including opportunity costs, the problem of deciding when to undertake a security audit and the design of managerial incentives becomes an important part of an organization's control process. In view of these considerations, this paper develops an IT security performance evaluation decision model for whether or not to conduct an IT security audit. A Bayesian extension investigates the impact of new information regarding the security environment on the decision. Since security managers may act in an opportunistic manner, the model also incorporates agency costs to determine the incentive payments for managers to conduct an audit. Cases in which the agency model suggests that it is optimal not to conduct an IT security audit are also discussed. The 2011 ISACA survey notes that compliance with ever-increasing privacy laws, accounting and banking regulations, and standards is a top priority for most organizations [30]. Accounting regulations have had a visible impact on information security practices in organizations. The Sarbanes–Oxley Act (SOX), emerging international accounting regulations such as the International Financial Reporting Standards (IFRS), and other accounting regulations affect computing practices in public organizations in the United States and worldwide [25]. Although the specific requirements of SOX and IFRS do not explicitly discuss information technology, the profound shift in business records from pen and paper to electronic media has significant implications for IT practices for the purposes of financial reporting. In addition to the external threats, an extensive dependence on technology may inadvertently provide sophisticated means and opportunities for employees to perpetrate fraud in rather simple and straightforward ways [12,29]. As IT controls have a pervasive effect on the achievement of many control objectives [26], regulations have implications for IT governance and controls [7,13,18]. In most organizations, since the data that is used in financial reporting is captured, stored, or processed using computer-based systems , achieving a sufficient level of internal controls means that controls have to be put in place for technology use in …