The Production of Comfort : - How Financial Auditors Experience that they Become Comfortable with I T -auditors

Hedman, Sara, Törnby, Alexander, Påhlman, Lisa

January 2015

Auditors need to feel comfortable when signing the audit in order to produce comfort to society. Today, most companies use complex IT-systems that require that an IT-audit is performed. Rarely auditors possess the sufficient knowledge to perform the IT-audit and therefore an external part of the audit team is involved, namely IT-auditors. It can therefore be problematic for the auditors to ensure the quality of this part of the audit. In this thesis we aim to widen the understanding of how IT-auditors affect how auditors experience that they become comfortable. To investigate the addressed problem the following research question is asked: How do financial auditors experience that they become comfortable with IT-auditors? Ten auditors were interviewed on how they experience the different senses of the Comfort theory to become comfortable. With these senses as background, the study’s aim is to gain a perception of how auditors in Sweden perceive that they become comfortable with IT-auditors, which makes the auditor comfortable to sign the audit. The conclusions are that certain characteristics, such as technical and social skills together with good communication and understanding of the IT- auditors work is perceived as important factors for auditors to become comfortable

Auditors

comfort

comfort theory

information technology

IT-auditors

IT-auditing

A proposed framework that enhances the quality of cyber security audits

Matsikidze, Hezel

23 March 2023

The need to protect information systems or assets remains crucial today. Innovations in technology have led to rapid developments and as technology continues to advance, so is the need to protect information systems. Amongst numerous effects of cyber-attacks on organizations, huge financial losses which in turn affect the economy have since been reported. Cyber security audits need to be strengthened to tighten the protection of information systems. The importance of cybersecurity audits is widely endorsed in literature. Nonetheless, frameworks used to audit cybersecurity are viewed as‘sometimes' weak links to cybersecurity due to their drawbacks in auditing cyber security. A review of literature indicated that cyber-attacks are more rampant in the African continent with the financial sector being the most targeted. Literature also highlighted that the use of relevant frameworks for auditing cyber security improves the quality and effectiveness of audits thereby enhancing cyber security. Studies in information systems have mostly looked at the adoption of frameworks, types of cyber threats and tools needed to audit. Nonetheless, it is important to note that few scholars have examined the applicability and effectiveness of the existing frameworks in auditing cyber security. Furthermore, previous studies emphasize on enhancing cyber security without a particular focus on auditing cyber security including assessing the role of the auditor during the process. As a result, this study looked at cyber security from an auditing perspective with a particular focus on the strengths and weaknesses of the current frameworks that are being used to audit cyber security including. The study also looked at the factors that enhance the effectiveness of cyber security audits. The study draws from different theories, literature and from the strengths and drawbacks of existing frameworks to create an explanatory model. To statistically test and evaluate the model, a quantitative research approach was employed to collect, analyze, and interpret data from South Africa. Data was collected using a questionnaire which was distributed to IT auditors and cyber security professionals from the Information Systems Audit and Control Association (ISACA) South African chapter members. The National Institute of Standards and Technology (NIST) cyber security framework was found to be the widely adopted framework followed by the International Organization for Standardization (ISO) standards, with the Control Objectives for Information Technologies (COBIT) being the least employed framework. The COBIT framework was found to be more aligned to Information Technology governance rather than cyber security. Furthermore, results of this study indicate that effectiveness of cyber security audits is dependent upon competencies of auditors including their ethics and integrity. Results further indicate that frameworks used for auditing are effective to some extent if properly implemented. A proper alignment of an auditor's competencies which include ethics and integrity, and an adoption of a relevant framework will result in effective cyber security audits that reduce the risks of cyber-attacks. Concerning the contribution to practice, results from this study can help organizations to determine and review focus areas of cyber security auditing that they need to emphasize and develop on. Furthermore, the developed model can be used by auditors to develop an audit plan and conduct audits that are effective in identifying, protecting, detecting, preventing, and recovering information systems or assets. The methodological, theoretical, and practical contributions are further discussed in this thesis along with limitations, recommendations, and areas for future research.

Cyber security

Frameworks

IT auditing

Information assets

Information systems