This paper outlines the results of a survey designed to compare the opinions of internal auditors to one class of audit customers – namely management accountants. To function effectively, internal auditors and the customers of audit services should possess a similar understanding of what makes internal auditing a value‐added activity. Failure to reach this understanding could result in the perception that internal audit is simply an obstacle to achieving production objectives. This can result in underutilized audit services and ignored audit recommendations. Fortunately, internal auditors and management accountants have similar views, but there are a few areas of difference that should be addressed by internal auditors.
Situations such as improvements in business transaction processing and various security issues keep today's information systems in a constant state of change. Serious disruption of company operations can occur when changes are improperly planned and/or carried out. In addition to technological issues, an equally important consideration is in regard to how information system changes will affect organizational personnel. The Institute of Internal Auditors has identified seven steps that can be used to effectively implement change in an information system environment. This along with a discussion of significant issues in managing system patches provides an appropriate background to consider a model for evaluating the maturity of an organization's change management process in an information system environment. The highly respected COBIT guidance from the ISACA is included throughout much of the discussion to provide support for many of the suggested change management practices.
Tremendous improvements in information networking capabilities have brought with them increased security risks resulting from the deterioration of the ability of a physical layer of computer security to protect an organization's information system. As a result, audit committees have had to deal with new security issues as well as the need to understand the cyber perpetrator and ensure the proper training of employees to consider cybersecurity risks. Standard setters including the Institute of Internal Auditors and the American Institute of Certified Public Accountants have issued guidance about lines of defense and reporting on an entity's cybersecurity risk management program and controls, respectively. Each of these topics is considered along with how cybersecurity guidance from COBIT, the National Institute of Standards and Technology, and the Center for Internet Security can be mapped into five cyber infrastructure domains to provide an approach to evaluate a system of cybersecurity.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.