The Internal Auditor's Role in Cybersecurity Governance : A qualitative study about the internal auditor's influence on the people factor of cybersecurity

Simić, Nikola

January 2022

Internal auditors have a substantial impact on organisations’ governance. Hence this research aims to uncover the practice of internal auditors in Sweden, especially their part in cybersecurity and the people factor. While previous research point to internal auditing being an oversight governance mechanism for organisations, the threat of a changing risk landscape due to increased digitalisation and business transactions occurring in cyberspace leaves more questions undiscovered. The research implements a qualitative approach. The data was collected by semi-structured interviews conducted with members from IIA working as internal auditors. The IPPF authoritative guidance was also used as complementary data. The data was later analysed through theories such as the Three Lines of Defense. The results demonstrated how internal auditors provide assurance heavily influence organisations’ cybersecurity. However, it is equally essential for auditors to consider the indirect impact they have on the organisation, especially regarding the people factor of cybersecurity and the amount of influence internal auditors have. These findings indicate the need to focus on researching the indirect influence internal auditors have through their soft skills. Professionals should also reflect on their influence in their organisation not to overshadow other important risks.

Internal auditing

Cybersecurity

Assurance

Risk Assessment

Three Lines of Defense

Business Administration

Företagsekonomi

Continuous Auditing : Internal Audit at a Crossroads?

Andersson Skantze, Joel

January 2017

Purpose – It is argued that traditional audit methods are becoming outdated in terms of delivering sufficient assurance on business objectives, whereby, a paradigm shift towards continuous auditing (CA) is proposed and perceived as necessary both by academia, standard-setting groups, and business society. However, the practical prevalence of CA is insignificant in relation to the expectations depicted. Therefore, the purpose of this paper is to examine why this is the case by means of investigating what factors that motivate an adoption of CA amongst various internal audit functions (IAFs). Design/methodology/approach – The study draws on the Technology Acceptance Model (TAM), and data are obtained through semi-structured interviews capturing internal auditors’ attitude towards CA, and what factors that influence an adoption. Findings – There is a shattered view on CA amongst IAFs, where the proponents embrace it as a set of value-adding methodologies whilst the opponents argue that it falls outside their responsibility and threaten the independence of the function. Thus, why CA has not been leveraged to its full potential is, in contrast to previous research, not solely attributable to practical factors but also due to the IAFs’ vast differences in approach to CA as a concept. Practical implications – The study has brought attention to the distinguished disparity found in internal auditors’ attitude towards CA. Ultimately, doubts, whether CA should be leveraged by IAFs has come to light. These are hurdles that need to be considered, both by academia, standard-setting groups, and business society if the leap for CA ought to continue. Originality/value – The use of semi-structured interviews contributes to in-depth understandings and insights of the internal auditors’ attitudes towards CA. Moreover, such an approach is more likely to capture the stance towards CA in greater detail than that possible of previous large-scale surveys.

Continuous Auditing (CA)

Continuous Monitoring (CM)

Continuous Assurance

Internal Auditing

Internal Control

Technology Acceptance Model (TAM)

Three Lines of Defense (TLoD)

Business Administration

Företagsekonomi

Internrevision i svenska myndigheter : En studie utifrån de tre ansvarslinjerna

Schönberg, Caroline, Karlsson, Maja

January 2014

Syftet med denna uppsats är att beskriva och analysera svenska myndigheters internrevision för att kunna dra slutsatser om i vilken ansvarslinje de befinner sig i dagsläget samt att föra en diskussion kring internrevisionens oberoende. I denna uppsats har en kvalitativ studie genomförts. Med hjälp av semi-strukturerade intervjuer på sex olika myndigheter med krav på internrevision har empiri insamlats som tillsammans med teoretisk referensram ligger till grund för analys och slutsatser. Studien visar att svenska myndigheters internrevision befinner sig i den tredje ansvarslinjen. Vissa variationer inom den tredje ansvarslinjen kan urskiljas på grund av dels otydliga riktlinjer för internrevisorerna för att kunna bibehålla ett oberoende i samband med råd och stöd och dels på grund av bristfälliga kunskaper i den andra ansvarslinjen avseende hur ansvaret ska fördelas. / The purpose of this essay is to describe and analyze internal audit of the Swedish authorities internal audit in order to draw conclusions about which of The Three Lines of Defense they are positioned in at the present time, and to include a discussion about internal audit’s independence. In this essay, a qualitative study has been conducted. Using data from semi-structured interviews conducted at six different authorities with requirements for internal audit, empirical evidence has been collected. This empirical evidence, together with a theoretical framework constitutes the basis for analysis and conclusions. The study showed that the internal audit of the Swedish authorities is positioned in the third line of defense. Some variations in the third line of defense could be distinguished due to unclear guidelines for internal auditors to maintain independence in connection with advice and support, and also due to insufficient knowledge in the second line of defense regarding how responsibility should be allocated.

Authority

independence

internal audit

internal auditor

internal control

internrevisionsförordning (2006:1228)

The Three Lines of Defense Model

De tre ansvarslinjerna

de tre försvarslinjerna

intern styrning och kontroll

internrevision

internrevisionsförordning (2006:1228)

internrevisor

myndighet

oberoende

[pt] PROPOSTA DE FRAMEWORK PARA O USO DE ROBOTIC PROCESS AUTOMATION NAS AUDITORIAS INTERNAS DE BANCOS BRASILEIROS / [en] ROBOTIC PROCESS AUTOMATION FRAMEWORK PROPOSAL FOR INTERNAL AUDIT IN BRAZILIAN BANKS

ANA PAULA CONCEICAO TEIXEIRA PENNA

18 May 2020

[pt] A Automação Robótica de Processos (RPA) surge como uma nova tecnologia advinda da indústria 4.0, focada na automação de tarefas humanas repetitivas, rotineiras e baseadas em regras. Ela promete eliminar esses processos que consomem mais tempo, sem substituir os sistemas de TI existentes. Consequentemente, reduziria custos e riscos operacionais; e melhoraria a eficiência, os processos internos e a experiência do cliente. Além disso, a RPA tem o potencial de revolucionar a auditoria tradicional, pois minimizaria as atividades tenocráticas, que apresentam baixo valor agregado, e permitiria que os auditores se concentrassem mais em atividades que exijam raciocínio analítico e julgamento profissional. Assim, levaria à ampliação da cobertura dos testes e do monitoramento de transações, aumentando a performance e a qualidade da auditoria contínua. Devido ao exposto, a RPA está sendo vista como um ativo estratégico para enfrentar os desafios da transformação digital. Por ser uma nova tendência, a literatura científica sobre o tema ainda é escassa, mas está crescendo rapidamente. E, nos últimos dois anos, foi amplamente adotada em muitas organizações e instituições financeiras com sucessos e fracassos. Portanto, considerando o modelo das três linhas de defesa, este estudo tem como objetivo propor um framework para implantação da RPA na auditoria interna de bancos brasileiros. / [en] Robotic Process Automation (RPA) emerges as a new 4.0 industry technology focused on the automation of repetitive, routine, rule-based human tasks. It promises to eliminate the most time-consuming processes without replacing existing IT systems. Consequently, reducing costs and operational risks as it improves efficiency, internal processes, and customer experience. Moreover, it has the potential to disrupt the traditional audit model as it minimizes mechanical low added value activities, enabling auditors to concentrate more on assignments that require thinking skills and professional judgment. Thus, it would lead to the expansion of testing and monitoring analytics coverage, enriching continuous audit quality and performance. Due to the above, RPA is being seen as a strategic asset to face the challenges of digital transformation. Since it is a new trend, there is limited literature on the subject, but growing fast. And, in the last couple of years, it has been widely adopted in many industries and financial organizations with successes and failures. Therefore, considering the three lines of defense model, this paper aims to propose an RPA framework for internal audit in Brazilian banks.

[pt] RPA

[pt] BANCOS NACIONAIS

[pt] MODELO DAS TRES LINHAS DE DEFESA

[pt] ROBOTIC PROCESS AUTOMATION

[pt] AUDITORIA CONTINUA

[pt] TRANSFORMACAO DIGITAL

[pt] INDUSTRIA 4 0

[pt] AUDITORIA INTERNA

[en] RPA

[en] BRAZILIAN BANKS

[en] THREE LINES OF DEFENSE MODEL

[en] ROBOTIC PROCESS AUTOMATION

[en] CONTINUOUS AUDITING

[en] DIGITAL TRANSFORMATION

[en] INDUSTRY 4 0

[en] INTERNAL AUDIT