Compliance with ever-increasing privacy laws, accounting and banking regulations, and standards is a top priority for most organizations. Information security and systems audits for assessing the effectiveness of IT controls are important for proving compliance. Information security and systems audits, however, are not mandatory to all organizations. Given the various costs, including opportunity costs, the problem of deciding when to undertake a security audit and the design of managerial incentives becomes an important part of an organization's control process. In view of these considerations, this paper develops an IT security performance evaluation decision model for whether or not to conduct an IT security audit. A Bayesian extension investigates the impact of new information regarding the security environment on the decision. Since security managers may act in an opportunistic manner, the model also incorporates agency costs to determine the incentive payments for managers to conduct an audit. Cases in which the agency model suggests that it is optimal not to conduct an IT security audit are also discussed.
The 2011 ISACA survey notes that compliance with ever-increasing privacy laws, accounting and banking regulations, and standards is a top priority for most organizations [30]. Accounting regulations have had a visible impact on information security practices in organizations. The Sarbanes–Oxley Act (SOX), emerging international accounting regulations such as the International Financial Reporting Standards (IFRS), and other accounting regulations affect computing practices in public organizations in the United States and worldwide [25]. Although the specific requirements of SOX and IFRS do not explicitly discuss information technology, the profound shift in business records from pen and paper to electronic media has significant implications for IT practices for the purposes of financial reporting. In addition to the external threats, an extensive dependence on technology may inadvertently provide sophisticated means and opportunities for employees to perpetrate fraud in rather simple and straightforward ways [12] and [29]. As IT controls have a pervasive effect on the achievement of many control objectives [26], regulations have implications for IT governance and controls [7], [13] and [18]. In most organizations, since the data that is used in financial reporting is captured, stored, or processed using computer-based systems, achieving a sufficient level of internal controls means that controls have to be put in place for technology use in organizations [22].
From the accounting regulation perspective, public corporations, at least in theory, must go through information systems audits in order to obtain an auditor's report confirming that there are sufficient internal controls. However, this regulation-driven audit is not mandatory for public companies earning annual revenue of less than 2 million dollars or for many organizations that are not public companies. Security surveys show that security audits are the predominant approach in testing the effectiveness of security technologies. Almost 50–65% of companies surveyed report that they carry out security audits [34], but not all companies undertake these investigations. The question thus arises, if system audits are not mandatory, when should firms undertake security audits? IT systems are complex, which makes evaluating their performance and security a complex problem [25]. Audits are often very laborious and expensive [37]. Implementing an IT audit strategy that justifies its cost and which promotes the effective use of information systems is a challenging task [33]. Given the costs involved in carrying out these audits and the opportunity costs of not conducting such audits, the question becomes an important one.
Although literature in the area of the “economics of IT security” is burgeoning with papers dealing with the issue of whether or not to invest in IT security or how to establish the optimal level of investment in IT security [17], [19] and [23], there is hardly any research that deals with the control aspects. Given budgetary constraints, firms often have to decide whether or not to spend resources on non-mandatory security initiatives such as IT security audits. Thus, it is important for a firm's management to have an objective basis and a sound decision model for deciding whether or not to undertake an IT security audit. The decision model we develop attempts to fill a gap in the literature and in practice in this area. More specifically, we consider the question of whether or not to carry out an IT security audit by developing a performance evaluation decision model. The model considers security investments and their relationship to IT audits.
Our approach is similar to the probabilistic variance analysis model in Bierman et al. [5]. The probabilistic variance analysis model [5] demonstrates the conditions under which a cost variance investigation is warranted in a single period setting. Applying this model to the IT security context, we extend Bierman et al.'s [5] model in several ways. First, from an application point, in order to demonstrate the IT audit decision model, we use an IT security investment setting. Second, we incorporate Bayesian decision theory to investigate the impact of new information regarding a security environment on the decision of whether or not to conduct an IT security audit. Lastly, in consideration that security managers may act in an opportunistic manner, we incorporate agency theory into the IT security audit decision problem to determine the incentive payments for audit managers that would motivate them to carry out an audit. We also discuss the efficiency loss of the agency model where an optimal decision may differ from the baseline model (i.e., without agency issues). Our approach is general and is applicable in a wide range of settings, including cyber security auditing and IT manager performance evaluation.
The paper is organized as follows. In the subsequent section, we review the background literature and discuss the security audit research problem. We then develop a decision model that explicitly considers the cost and benefit tradeoffs associated with a system audit with a view to deciding whether or not an IT audit should be performed. Further, we investigate the impact of new information on the IT audit decision. Recently, the cyber security literature has highlighted agency problems that may arise in the information security context. To address this issue, we apply agency theory to determine the incentive costs pertaining to an IT audit decision and extend the analysis to investigate the efficiency loss of the agency model. Finally, we conclude with a discussion of the model's limitations and avenues for future research.
Although the current regulatory environment tries to advocate a controlled environment, it is not imperative for all businesses. Given the budgetary constraints organizations face, non-mandatory security initiatives such as security audits are often overlooked. Motivated by the above, in this paper we develop a performance evaluation decision model that allows firms to decide whether it is worthwhile conducting an IT security audit.
The model developed in this paper makes contributions both to theory and practice. We draw upon the literature in investments in security technologies and cost variance investigation, as well as agency theory. Our model extends Bierman et al.'s [5] cost variance analysis by incorporating a two period IT security investment setting. The model is applicable in a wide range of situations but is especially useful for small firms where SOX requirements do not apply since firms can compare the amount of the unfavorable loss deviation and the probability that the unfavorable loss deviation resulted from uncontrollable factors as a basis for conducting the audit. If the deviations are small and the probability that they are from uncontrollable factors is large, then it is not worth conducting the IT security audit to assess the performance of the IT security manager. We also discuss a case in which an expert opinion is sought regarding the need for more information about the uncertain states. Thus, our model also incorporates the impact of having additional information. More specifically, using Bayesian decision theory, the model allows us to investigate the impact of new information on the IT audit decision. We show that the security audit/no security audit region area shifts depending on the addition of new information.
Regarding agency issues, the model also permits the determination of incentive payments for managers that can motivate them to carry out an audit. Our approach is general and is applicable in a wide range of settings including cyber security auditing and IT manager performance evaluation. The agency model pertaining to the audit decision model allows the determination of the optimal incentive costs that guarantee goal congruence. We also discuss the efficiency loss of the moral hazard, where the optimal decision of the agency model results in a different outcome from what the baseline model suggests. These findings provide useful information for designing managerial incentives in an IT security context.
There are several limitations of the model which provide avenues for further research. First, the loss deviations or the unfavorable variance that is investigated in this paper pertains to a single observation. If the losses occur in several sub-periods and a sequence of observations is available, then a multi-period approach may be more appropriate, which may be determined through future research. The second limitation pertains to the estimation of the parameters of the model, which includes the state probabilities, the opportunity costs associated with future savings, and the cost of manager effort pertaining to conducting an IT security audit. Although these limitations are common in many analytical models, the advantage of the IT security audit model with the agency extension is that it provides a clear criterion based on two parameters, the magnitude of the loss deviation and the probability of losses due to random factors. The model addresses an important management control issue in IT security.
The model considers agency issues commonly observed in in-house audit situations. However, the outsourcing of IT security audits is a common practice today [34], which may result in other issues. While outsourcing an internal audit can provide many advantages such as greater cost savings and improved quality, it can also result in disadvantages such as the lack of loyalty and business knowledge and the loss of a “valuable training ground” [4] and [6]. Firms offering outsourced audit services benefit from economies of scale, while audits done internally can provide benefits due to familiarity with the firm's operations and procedures [8]. In settings where the activities to be controlled are technically specific and complex [1] or in industries that face substantial regulatory scrutiny [9], the employment of in-house internal auditors with industry knowledge may be more cost-efficient. An interesting set of questions for future research includes what factors—for example, the size of the company, the industry in which it operates, and the regulatory effect—would impact the decision of whether to perform in-house or outsourced IT audits? Given the known risks in IT outsourcing [6], which control strategies would be most suited if IT audits are outsourced [32]? What would be an optimal contractual mechanism if the IT audits are outsourced? Finally, what would be the impact on the evaluation of IT security risks if the security audits are outsourced versus performed in-house?
IT security audit setting in this article pertains to classic IT infrastructures. Security becomes challenging in the new cloud computing environments due to factors such as the various models of cloud computing, shared resources, scalability, and third-party hosting [16], [21] and [28]. In this regard, new questions arise as to how the audit decision model would change in cloud environments, what additional factors have to be considered, and could cyber-insurance be an alternative to IT security auditing? These questions create a fertile platform for future research in IT security auditing.
