You are here: Home Contents V12 N1 V12N1_Goel.html
Personal tools

A Perspective on the Evolution of Information System Security Audits: Challenges and Implications



Full text

Journal of Information Systems Security
Volume 12, Number 1 (2016)
Pages 4572
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Sunita Goel — Siena College, USA
Margaret Garnsey — Siena College, USA
Qi Liu — Siena College, USA
Ingrid Fisher — State University of New York at Albany, USA
Information Institute Publishing, Washington DC, USA




Advances in technology have made it possible to capture vast amounts of financial and non-financial information, whilst at the same time shifting more control from the producers and assurers of information to the recipients of information. As a result, threats to Information System (IS) have grown exponentially, which has made IS security audits even more cumbersome. Assessing the effectiveness of internal controls is an important objective of an IS audit, which is distinct from a financial audit that deals with the accuracy of financial statements. Security auditing has been a part of the auditing profession since the late 1970’s, when information technology was first leveraged at a mass scale in organizations for improving efficiency and productivity. Over time, however, as technology has advanced, audits have become increasingly cumbersome. Rapid innovation in technology has forced the auditing profession to lag behind trying desperately to catch up with technology. In this paper, we examine the evolution of IS security auditing and discuss how technology is impacting the audit profession.




Information System Security, Security Audits, Audit Tools, Security Controls, Audit Failures




AICPA. 2013. North America Top Technology Initiatives for CPS’s Survery-2013. Available at: TopTechnologyInitiatives/Pages/2013TTI.aspx

Alles, M., Kogan A., Vasarhelyi M. A., Warren J. D. 2007. BNA Accounting Policy & Practice Portfolios Portfolio 5405 Continuous Auditing. Accounting Policy & Practice Series. ISSN 1933-0243

Alles, M.G., Kogan, A., Vasarhelyi, M. A. 2002. Feasibility and Economics of Continuous Assurance, Auditing: A Journal of Practice & Theory 21 (1): 125-138.

Arraj, V. 2013. ITIL: the basics. AXELOS Limited

Auditing Standards Committee, AICPA. 1974. SAS No. 3, The Effects of EDP on the Auditor's Study and Evaluation of Internal Control. In AICPA (Ed.). New York: AICPA.

Auditing Standards Committee, AICPA. 1984. The Effects of Computer Processing on the Examination of Financial Statements. In AICPA (Ed.), (pp. 9). New Yotk: AICPA.

Auditing Standards Committee, AICPA. 1988. SAS No. 56 Analytical Procedures. In AICPA (Ed.). New York: AICPA.

Auditing Standards Committee, AICPA. 1995. SAS No. 78 Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55. In AICPA (Ed.). New York: AICPA.

Auditing Standards Committee, AICPA. 2001. SAS NO. 94: The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit. In AICPA (Ed.). New York: AICPA

Beasley, M. S., Carcello, J. V., Hermanson, D. R., Neal, T. L. 2010. Fraudulent Financial Reporting: 1998-2007: COSO.

Beresford, Dennis R., Katzenback, Nicholas deB., Rogers, C. B. 2003. Report of the investigation by the Special Investigative Committee of the Board of Ditectors of WorldCom, Inc.

Best, P. J., Mohay, G., Alison, A. 2004. Machine-Independent Audit Trail Analysis – A Decision Support Tool for Continuous Audit Assurance. International Journal of Intelligent Systems in Accounting, Finance & Management 12 (2): 85-102.

Byrnes, P. E., Ames, B., Vasarhelyi, M., Warren, Donald, J. 2012. The Current State of Continuous Auditing and Continuous Monitoring.

Campbell, K., Gordon, L. A., Loeb M. P., Zhou, L. 2003. The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, 12: 431-448.

Chou, C. L.-Y., Du, T., Lai, V. S. 2007. Continuous auditing with a multi-agent system. Decision Support Systems 42: 2274–2292.

COSO. 1992. Internal Control-Integrated Framework. Jersey City, NJ: AICPA.

COSO. 2013. The 2013 COSO Framework and SOX Compliance. Available at:

Deloitte. 2014. The 2013 COSO Framework and the Audit Committee. Available at:

Denning, D. E. 1987. An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13 (2): 222-232.

Dowell, C. and Ramstedt, P. 1990. The COMPUTERWATCH Data Reduction Took. Proc. 13th National Computer Security Conference, Baltimore, MD, October: 99-108

EDPACS. 1976. Auditor's Responsibility for EDP Controls Extended by Courts. EDPACS: the EDP audit, control and security newsletter 4(5): 8-9

FDIC. 1999. Risk Assessment Tools and Practices for Information System Security. Available at:

FTC. 2013. Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business. Available at:

Gary, H. 2007. The State of IT Auditing in 2007. EDPACS: the EDP audit, control and security newsletter: 13-28.

Gupta, P.P. 2008. Management's Evaluation of Internal Controls under Section 404(a) using the COSO 1992 Control Framework: Evidence from Practice. International Journal of disclosure and Governance 5(1): 48-69.

Haines, J. W., Lippmann, R. P., Fried, D. J., Tran, E., Boswell, S., Zissman, M. A. 2001. 1999 DARPA Intrusion Detection System Evaluation: Design and Procedures. MIT Lincoln Laboratory Technical Report.

Hayes, B. 2003. Conducting a Security Audit: An Introductory Overview. Available at:

Hinson, G. 2007. The State of IT Auditing in 2007, EDPACS, 36:1, 13-31

IIA. The role of internal auditing in enterprise-wide risk management 2009 The%20Role%20of%20Internal%20Auditing%20in%20Enterprise%20Risk%20 Management.pdf

ITGI. 2008. Aligning COBIT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit.

Janvrin, D.J., Payne, E. A., Byrnes, P., Schneider, G. P., Curtis M.B. 2012. The Updated COSO Internal Control—Integrated Framework: Recommendations and Opportunities for Future Research. Journal of Information Systems 26 (2): 189-213.

Jans, M., Alles, M., Vasarhelyi, M. 2014. A field study on the use of process mining of event logs as an analytical procedure in auditing. The Accounting Review 89 (5): 1751-1773

Johnson, J., Lincke, S. J., Imhof, R., Lim, C. 2014. A comparison of international information security regulations. Interdisciplinary Journal of Information, Knowledge, and Management, 9, 89-116. Available at:

Kauffman, R.J., Lee, Y. J., Prosch, M., Steinbart, P. J. 2011. A Survey of Consumer Information Privacy form the Accounting Information Systems Perspective. Journal of Information Systems 25 (2): 47-79.

Klamm, B.K. and Watson, M. W. 2009. SOX 404 Reported Internal Control Weaknesses: A Test of COSO Framework Components and Information Technology. Journal of Information Systems 23 (2): 1-23.

Kuhn, J., Randel, Sutton, Steve, G. 2006. Learning from WorldCom: Implications for Fraud Detection through Continuors Assurance. Journal of Emerging Technologies in Accounting, 3, 61-81

Langelier, C. and Ingram, J. 2001. Security and Privacy in the Age of Uncertainity. National State Auditors Association and the U.S. Accounting Office: Management Planning Guide Information System Security Auditing.

Li, H., Tian, X., Wei, W., Sun, C. 2012. A Deep Understanding of Cloud Computing Security. Network Computing and Information Security: 98-105. Springer Berlin Heidelberg.

Lin, H., Cefaratti, M., Wallace L. 2012. Enterprise Risk Management, COBIT, and ISO27002: A conceptual analysis. Internal Auditing 27(2): 3-12.

Lineberry, S. 2007. The human element: The weakest link in information security. Journal of Accountancy, 204(5): 44.

Lord, S. 2013. An overview of COSO’s 2013 Internal Control-Integrated Framework. Available at: pdf/wp_coso_2013_internal_control_integrated_framework.pdf

Morency, J. 2005. Best Practice, Practice, Practice. Network World, 22(1).

Nigrini, M. J. and N. Mueller. 2014. Lessons from an $8 million fraud. Journal of Accountancy, August 2014.

Nottingham, C. 1976. Conceptual Framework for Improved Computer Audits. Accounting and Business Research 6(22): 140-148.

Onwubiko, C. 2009. A security audit framework for security management in the enterprise. Commun Inform Sci 45:9–17, Springer.

Parker, D. B., 1998. Fighting Computer Crime: a New Framework for Protecting Information, John Wiley and Sons, Inc., New York, NY.

Ponemon Institute. 2011. 2010 Annual Study: Global Cost of a Data Breach, Symantec Corporation.

Popescu, G., Popescu, V. A., Popescu, C. R. 2007. Information System Security Audit. Manager Journal 6: 81-88

Praxiom Research Group. 2013. ISO IEC 27001 2013 Plain English Introduction. Available at:

Pritchard, J. 1978. Computer security – what is the auditor’s role? Accountancy 89.1023 (Nov. 1978), 81-82

Pugliese, A. J. and Halse, R. 2000. Systrust and Webtrust: technology assurance opportunities. CPA Journal, 70 (11): 28-33

PWC. 2014. The Global State of Information Security Survey 2014. In PWC (Ed.): International Data Group, Inc.

Radovanovic, D., Radojevic, T., Lucic, D., Sarac, M. 2010. Analysis of Methodology for IT Governance and Information Systems Audit. Paper presented at the 6th International Scientific Conference Business and Management 2010, Vilnius.

Rasheed, H. 2014. Data and infrastructure security auditing in cloud computing environments. International Journal of Information Management 34: 364-368.

Rees, J., Bandyopadhyay, S., Spafford, E. H. 2003. PFIRES: a policy framework for information security. Communications of the ACM-A game experience in every application 46 (7): 101-106.

SEC. 2011. CF Disclosure Guidance: Topic No. 2. Available at:

SEC. 2013. The Investor’s Advocate: How the SEC Protects Investors, Maintains Market Integrity and Facilitates Capital Formation. Available at:

SEC. 2014a. Examination Priorities for 2014. Available at:

SEC. 2014b. Office of Compliance Inspections and Examinations’ Cybersecurity Initiative. Available at:


Sheaffer, Z., Richardson, B., Rosenblatt, Z. 1998. Eary-Warning-Signals Management: A Lesson from the Barings Crisis. Journal of Contingencies and Crisis Management 6(1): 1-22.

Singleton, T., Flesher, D. L., Cassidy, J. 1993. The origins of EDP auditing in North America. The EDP Auditor Journal 3: 52-62.

Stoneburner, G., Goguen, A., Feringa, A., 2002. Risk Management Guide for Information Technology Systems. Nat’l Inst. Of Standards and Technology, US Dept. of Commerce, 2002:

Sun, L., Srivastava, R. P., Theodore, J. M. 2006. An Information System Security Risk Assessment Model under the Dempster-Shafer Theory of Belief Functions. Journal of Management Information System 22 (4) 109-142.

Teng, H. S., Chen, K., Lu, S.C.Y. 1990. Security audit trail analysis using inductively generated predictive rules. Sixth Conference on Artificial Intelligence Applications 24-29.

White, A. 2012. PwC fined record L1.4mover JP Morgan audit. The Telegraph: Accessed: 5/21/2015

Zhou, L. 2004. The Value of Security Audits, Asymmetric Information and Market Impact of Security Breaches.