（2007）Information Security Governance and Internal Audits：A Processual Model.pdfVIP

INFORMATION SECURITY GOVERNANCE AND INTERNAL AUDITS: A PROCESSUAL MODEL Sushma Mishra Virginia Commonwealth University mishras@ Abstract Internal audits play an important role in risk mitigation, security governance, and information assurance in an organization. This research presents a processual model to conceptualize the audit function in an organization by addressing three fundamental questions about internal audits: what, why and how? The proposed model suggests that internal audits are an integral part of overall security governance and thus of an information assurance program in an organization. Keywords: internal audit, security governance, information assurance Introduction Information security breaches are costly for organizations. Incidents such as Enron and Barings bank have totally changed the landscape of information security governance process. With the advent of the Sarbanes- Oxley act (commonly referred to as SOX), security governance has been redefined in terms of internal controls assessment and information assurance. Security governance can be viewed as structures and processes that ensure the integrity of the information flow and of business processes. Moultan and Cole (2003) conceptualize security governance as a way of establishing and maintaining a control environment to mange risks that relate to confidentiality, integrity and availability of information and its supporting processes and systems. The Institute of Internal Auditors (2006) defines a systems audit as an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations”. Recent developments in the regulatory environment have brought signific