Bridging the gap: How internal audit and IT can work together to improve information security

October 13, 2010

Internal auditors and information security professionals don't always get along, and it's not really all that difficult to figure out why.

"They just have different cultures and different backgrounds," W. P. Carey Professor of information systems Paul Steinbart explains. "I mean, when you think about it, most information security people have a computer science-type background with very little business focus. Meanwhile, on the internal auditing side, it's all about accounting and business with maybe just a smattering of IT."

To put it another way, internal auditors, the people charged with ensuring that companies are running in the most efficient way possible, and information security staffers, the people charged with protecting their companies' electronic data, simply don't have much -- if anything -- in common.

They don't have the same training. They don't have the same responsibilities. They don't speak the same language.

Steinbart understands the gulf between these two groups. In his work over the years with organizations of all kinds, he's witnessed first-hand the often palpable tension between them. It is a real tension, he says -- and a real problem.

But it's a problem Steinbart believes must be fixed -- must be fixed, that is, in the interest of better information security.

In a new line of research aimed at bridging the gulf between internal audit and information security, Steinbart aims to find hard data that will back up his belief that internal auditors and IT staff can work together effectively, and in so doing, significantly enhance their company's overall information security structure. These disparate groups of professionals may not speak the same language, Steinbart says, and they may often find themselves butting heads, but the reality is, they do have a common interest: The well-being of their company.

"If you go to an information security conference you'll hear all kinds of anecdotal stories about the arms-length, dysfunctional relationships out there between IT and internal audit," says Steinbart, co-author of a widely-used textbook called "Accounting Information Systems."

"The IT people maybe look down on internal audit and say, 'You guys don't know what you're doing.' The internal audit people are more interested in assessing the overall business processes, and so many of them may view this IT stuff as a 'necessary evil.' But the problem in cases like this is that the organization, then, doesn't get the full potential benefits of having those two functions work more closely together."

Different viewpoints, common interests

And, yes, Steinbart says, there are benefits to be had -- significant benefits, actually. The only question is whether organizations -- and the groups themselves -- are willing to put forth the effort to bring those benefits to fruition.

Earlier this year, Steinbart traveled to the National Chung Cheng University in Chiayi, China, for the International Conference on Accounting and Information Technology (ICAIT), which gathered top professionals from both academia and business to discuss risk management, globalization issues, cloud computing, the implementation of IFRS (International Financial Accounting Standards) and other issues with important implications for both accounting and IT.

"As the title of the conference implies, it was all about the intersection of accounting and IT issues," Steinbart says. It was a perfect audience for Steinbart's message, delivered in his keynote, "Audit's Role in Creating an Effective Security Program."

"My focus was on the idea that, traditionally, the accounting folks and IT folks don't generally see eye to eye," says Steinbart. "In fact, recently there was a whitepaper [about the topic] from PriceWaterhouseCoopers, with the title 'Are CFOs from Mars & CIOs from Venus?' ? that paper just shows that internal audit and security have the same disconnect as there is in the broader IT/accounting community.

For companies interested in improving their information security infrastructure, however, this is a disconnect that, according to Steinbart must be fixed. As he told his ICAIT audience, preventative information security is almost always more effective than corrective or detective information security. And Steinbart says that internal audit can play a hugely valuable role in the creation of an effective preventative IT strategy.

When internal audit groups approach information security properly they are uniquely qualified to offer the kind of "actionable feedback" that can help information security strengthen existing security systems and fix problem areas before they are exploited.

How to get there? Pretty simple, Steinbart says. In fact, he's created a simple list of do's and don'ts -- rules that he says can keep internal audit on the right track in the realm of information security:

  • Internal audit shouldn't focus on "compliance," but rather "process improvement"
  • Internal audit shouldn't act as "policeman," but rather as "partner."
  • Internal audit shouldn't engage in "periodic assessment," but rather "continuous assessment."

"Attitude may be the most important factor. Some auditors like to play the role of 'the bad cops,' and that is obviously not conducive to building a good working relationship, especially as opposed to a situation where you'd have them say, 'We're here to partner with you.'"

A real-world challenge

Anecdotally, at least, Steinbart says there's fairly strong evidence those kinds of "partnerships" really do work -- and that strong internal audit/information security relationships hold tremendous benefits for organizations of all kinds.

But anecdotal evidence doesn't hold much water among academics. So now, he says, the time has come to find some hard data that can really put his idea to the test.

"I'm not looking only at the theory side here, but also at the practical side," Steinbart says. "I'm interested in figuring out what we can do to encourage organizations to foster this kind of [cooperation] and what the real benefits are."

Steinbart is partnering with five organizations and moving forward with research that he hopes will quantify in real terms what companies can expect in return for making the effort to create those ideal internal audit/information security relationships. He's also interested in learning about the very practicality of making those relationships happen.

"The bottom line," he says, "is that it's not going to be a piece of cake."

As Steinbart told his audience at the ICAIT conference, there are real and problematic gulfs between these two groups in educational background, professional experience and work responsibilities. But those aren't the only reasons these groups can't always get along.

In some organizations, there are interpersonal issues that prevent closer working relationships. In others, the business structure itself is problematic.

So bringing the two groups together isn't just going to be a matter of senior management saying they'd like to make it happen. No, Steinbart admits, it might prove to be a real challenge.

But he does believe it's a challenge worth taking on.

"We're only at the beginning stages of looking at those issues," he says. "Hopefully, we can contribute something that will help organizations [operate better] and make the world a safer place."