{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,5]],"date-time":"2026-03-05T09:09:37Z","timestamp":1772701777129,"version":"3.50.1"},"reference-count":46,"publisher":"American Accounting Association","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,12,1]]},"abstract":"ABSTRACT<\/jats:title>\n Internal auditors and information security professionals both play important roles in protecting an organization's assets. Indeed, there are potential synergistic benefits if they work together. The relationship between the two functions, however, is not always supportive. This paper presents the results of a survey of information security professionals' perceptions about the nature of the relationship between the information security and internal audit functions in their organization. We find that information security professionals' perceptions about the level of technical expertise possessed by internal auditors and the extent of internal audit review of information security are positively related to their assessment about the quality of the relationship between the two functions. We also find that the quality of the relationship between the internal audit and information security functions is positively associated with perceptions about the value provided by internal audit and, most important, with measures of overall effectiveness of the organization's information security endeavors. We discuss the implications of our findings for both research and practice.<\/jats:p>","DOI":"10.2308\/isys-50510","type":"journal-article","created":{"date-parts":[[2013,5,2]],"date-time":"2013-05-02T22:29:10Z","timestamp":1367533750000},"page":"65-86","source":"Crossref","is-referenced-by-count":33,"title":["Information Security Professionals' Perceptions about the Relationship between the Information Security and Internal Audit Functions"],"prefix":"10.2308","volume":"27","author":[{"given":"Paul John","family":"Steinbart","sequence":"first","affiliation":[{"name":"Arizona State University"}]},{"given":"Robyn L.","family":"Raschke","sequence":"additional","affiliation":[{"name":"University of Nevada, Las Vegas"}]},{"given":"Graham","family":"Gal","sequence":"additional","affiliation":[{"name":"University of Massachusetts"}]},{"given":"William N.","family":"Dilla","sequence":"additional","affiliation":[{"name":"Iowa State University"}]}],"member":"1112","published-online":{"date-parts":[[2013,5,1]]},"reference":[{"issue":"2","key":"2024082915385786300_i1558-7959-27-2-65-Anderson1","first-page":"40","article-title":"A case for a partnership between information security and records information management","volume":"12","author":"Anderson","year":"2012","journal-title":"ISACA Journal"},{"issue":"1","key":"2024082915385786300_i1558-7959-27-2-65-Behn1","first-page":"7","article-title":"The determinants of audit client satisfaction among clients of Big 6 firms","volume":"11","author":"Behn","year":"1997","journal-title":"Accounting Horizons"},{"key":"2024082915385786300_i1558-7959-27-2-65-Bentler1","unstructured":"Bentler, P. M., and E. J. C. Wu. \n 1995. EQS for Windows User's Guide. Encino, CA: Multivariate Software."},{"issue":"4","key":"2024082915385786300_i1558-7959-27-2-65-BouRaad1","doi-asserted-by":"crossref","first-page":"182","DOI":"10.1108\/02686900010322461","article-title":"Internal auditors and a value-added approach: The new business regime","volume":"15","author":"Bou-Raad","year":"2000","journal-title":"Managerial Auditing Journal"},{"key":"2024082915385786300_i1558-7959-27-2-65-Bradach1","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1146\/annurev.so.15.080189.000525","article-title":"Price, authority, and trust: From ideal types to plural forms","volume":"15","author":"Bradach","year":"1989","journal-title":"Annual Review of Sociology"},{"issue":"1","key":"2024082915385786300_i1558-7959-27-2-65-Carcello1","first-page":"1","article-title":"Audit quality attributes: The perceptions of audit partners, preparers, and financial statement users","volume":"11","author":"Carcello","year":"1992","journal-title":"Auditing: A Journal of Practice & Theory"},{"issue":"2","key":"2024082915385786300_i1558-7959-27-2-65-Chapman1","first-page":"55","article-title":"Raising the bar","volume":"58","author":"Chapman","year":"2001","journal-title":"Internal Auditor"},{"key":"2024082915385786300_i1558-7959-27-2-65-Chin1","first-page":"315","article-title":"Partial least squares is to LISREL as principal components analysis is to common factor analysis","volume":"2","author":"Chin","year":"1995","journal-title":"Technology Studies"},{"key":"2024082915385786300_i1558-7959-27-2-65-Chin2","article-title":"The partial least squares approach to structural equation modeling","author":"Chin","year":"1998","journal-title":"Modern Business Research Methods"},{"issue":"3","key":"2024082915385786300_i1558-7959-27-2-65-Collins1","first-page":"26","article-title":"Auditing in the knowledge era","volume":"56","author":"Collins","year":"1999","journal-title":"Internal Auditor"},{"issue":"3","key":"2024082915385786300_i1558-7959-27-2-65-Cronin1","doi-asserted-by":"crossref","first-page":"761","DOI":"10.5465\/amr.2007.25275511","article-title":"Representational gaps, information processing, and conflict in functionally diverse teams","volume":"32","author":"Cronin","year":"2007","journal-title":"The Academy of Management Review"},{"key":"2024082915385786300_i1558-7959-27-2-65-Dittenhofer1","unstructured":"Dittenhofer, M. A., \n \n S. Ramamoorti, \n \n D. E. Ziegenfuss, and R. I. Evans. \n 2010. Behavioral Dimensions of Internal Auditing: A Practical Guide to Professional Relationships in Internal Auditing. Orlando, FL: The Institute of Internal Auditors Research Foundation."},{"issue":"5","key":"2024082915385786300_i1558-7959-27-2-65-Donathan1","first-page":"26","article-title":"So you want to be an IT auditor?","volume":"69","author":"Donathan","year":"2012","journal-title":"Internal Auditor"},{"issue":"1","key":"2024082915385786300_i1558-7959-27-2-65-Fornell1","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1177\/002224378101800104","article-title":"Evaluating structural equation models with unobservable variables and measurement","volume":"18","author":"Fornell","year":"1981","journal-title":"Journal of Marketing Research"},{"issue":"1","key":"2024082915385786300_i1558-7959-27-2-65-Geisser1","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1093\/biomet\/61.1.101","article-title":"A predictive approach to the random effects model","volume":"61","author":"Geisser","year":"1974","journal-title":"Biometrika"},{"issue":"2","key":"2024082915385786300_i1558-7959-27-2-65-Hair2","doi-asserted-by":"crossref","first-page":"139","DOI":"10.2753\/MTP1069-6679190202","article-title":"PLS-SEM: Indeed a silver bullet","volume":"19","author":"Hair","year":"2011","journal-title":"Journal of Marketing Theory and Practice"},{"issue":"3","key":"2024082915385786300_i1558-7959-27-2-65-Henderson1","first-page":"7","article-title":"Plugging into strategic partnerships: The critical IS connection","volume":"31","author":"Henderson","year":"1990","journal-title":"Sloan Management Review"},{"issue":"1","key":"2024082915385786300_i1558-7959-27-2-65-Huber1","first-page":"6","article-title":"Cross understanding: Implications for group cognition and performance","volume":"35","author":"Huber","year":"2010","journal-title":"The Academy of Management Review"},{"issue":"2","key":"2024082915385786300_i1558-7959-27-2-65-Hulland1","doi-asserted-by":"crossref","first-page":"195","DOI":"10.1002\/(SICI)1097-0266(199902)20:2<195::AID-SMJ13>3.0.CO;2-7","article-title":"Use of partial least squares (PLS) in strategic management research: A review of four recent studies","volume":"20","author":"Hulland","year":"1999","journal-title":"Strategic Management Journal"},{"key":"2024082915385786300_i1558-7959-27-2-65-InstituteofInternalAuditorsIIA1","unstructured":"Institute of Internal Auditors (IIA). 2011. International Standards for the Professional Practice of Internal Auditing. Available at: https:\/\/na.theiia.org\/standards-guidance\/mandatory-guidance\/Pages\/Standards.aspx"},{"key":"2024082915385786300_i1558-7959-27-2-65-ITGovernanceInstituteITGI1","unstructured":"IT Governance Institute (ITGI). 2012a. COBIT5: A Business Framework for the Governance and Management of Enterprise It. Rolling Meadows, IL: IT Governance Institute."},{"key":"2024082915385786300_i1558-7959-27-2-65-ITGovernanceInstituteITGI2","unstructured":"IT Governance Institute (ITGI). 2012b. COBIT5 for Information Security. Rolling Meadows, IL: IT Governance Institute."},{"key":"2024082915385786300_i1558-7959-27-2-65-ITGovernanceInstituteITGI3","unstructured":"IT Governance Institute (ITGI). 2012c. COBIT5: Enabling Processes. Rolling Meadows, IL: IT Governance Institute."},{"issue":"1","key":"2024082915385786300_i1558-7959-27-2-65-Ko1","doi-asserted-by":"crossref","first-page":"59","DOI":"10.2307\/25148668","article-title":"Antecedents of knowledge transfer from consultants to clients in enterprise system implementations","volume":"29","author":"Ko","year":"2005","journal-title":"MIS Quarterly"},{"key":"2024082915385786300_i1558-7959-27-2-65-Lee1","doi-asserted-by":"crossref","first-page":"305","DOI":"10.1016\/j.accinf.2011.05.002","article-title":"On the use of partial least squares path modeling in accounting research","volume":"12","author":"Lee","year":"2011","journal-title":"International Journal of Accounting Information Systems"},{"issue":"3","key":"2024082915385786300_i1558-7959-27-2-65-Lindenberg1","first-page":"500","article-title":"Managing joint production motivation: The role of goal framing and governance mechanisms","volume":"36","author":"Lindenberg","year":"2011","journal-title":"The Academy of Management Review"},{"issue":"2","key":"2024082915385786300_i1558-7959-27-2-65-Marcoulides1","doi-asserted-by":"crossref","first-page":"iii","DOI":"10.2307\/25148727","article-title":"Editor's comments","volume":"30","author":"Marcoulides","year":"2006","journal-title":"MIS Quarterly"},{"issue":"4","key":"2024082915385786300_i1558-7959-27-2-65-Mata1","doi-asserted-by":"crossref","first-page":"487","DOI":"10.2307\/249630","article-title":"Information technology and sustained competitive advantage: A resource-based analysis","volume":"19","author":"Mata","year":"1995","journal-title":"MIS Quarterly"},{"key":"2024082915385786300_i1558-7959-27-2-65-McCann1","article-title":"Doing the internal audit-management dance","author":"McCann","year":"2009","journal-title":"CFO.com"},{"issue":"3","key":"2024082915385786300_i1558-7959-27-2-65-Nagy1","doi-asserted-by":"crossref","first-page":"130","DOI":"10.1108\/02686900210419912","article-title":"An assessment of the newly defined internal audit function","volume":"17","author":"Nagy","year":"2002","journal-title":"Managerial Auditing Journal"},{"key":"2024082915385786300_i1558-7959-27-2-65-NationalInstituteofStandardsandTechnologyNIST1","unstructured":"National Institute of Standards and Technology (NIST). 2012. Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4. Available at: http:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r4.pdf"},{"issue":"2","key":"2024082915385786300_i1558-7959-27-2-65-Podsakoff1","doi-asserted-by":"crossref","first-page":"531","DOI":"10.1177\/014920638601200408","article-title":"Self-reports in organizational research: Problems and prospects","volume":"12","author":"Podsakoff","year":"1986","journal-title":"Journal of Management"},{"issue":"1","key":"2024082915385786300_i1558-7959-27-2-65-Ransbotham1","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1287\/isre.1080.0174","article-title":"Choice and chance: A conceptual model of paths to information security compromise","volume":"20","author":"Ransbotham","year":"2009","journal-title":"Information Systems Research"},{"issue":"4","key":"2024082915385786300_i1558-7959-27-2-65-Ray1","doi-asserted-by":"crossref","first-page":"625","DOI":"10.2307\/25148703","article-title":"Information technology and the performance of the customer service process: A resource-based investigation","volume":"29","author":"Ray","year":"2005","journal-title":"MIS Quarterly"},{"issue":"4","key":"2024082915385786300_i1558-7959-27-2-65-Rockart1","first-page":"55","article-title":"The line takes the leadership\u2014IS management in a wired society","volume":"29","author":"Rockart","year":"1988","journal-title":"Sloan Management Review"},{"issue":"1","key":"2024082915385786300_i1558-7959-27-2-65-Ross1","first-page":"31","article-title":"Developing long-term competitiveness through IT assets","volume":"38","author":"Ross","year":"1996","journal-title":"Sloan Management Review"},{"issue":"2","key":"2024082915385786300_i1558-7959-27-2-65-Schroeder1","first-page":"86","article-title":"Audit quality: The perceptions of audit-committee chairpersons and audit partners","volume":"5","author":"Schroeder","year":"1986","journal-title":"Auditing: A Journal of Practice & Theory"},{"issue":"4","key":"2024082915385786300_i1558-7959-27-2-65-Spira1","doi-asserted-by":"crossref","first-page":"640","DOI":"10.1108\/09513570310492335","article-title":"Risk management: The reinvention of internal control and the changing role of internal audit","volume":"16","author":"Spira","year":"2003","journal-title":"Accounting, Auditing and Accountability Journal"},{"key":"2024082915385786300_i1558-7959-27-2-65-Steinbart1","doi-asserted-by":"crossref","first-page":"228","DOI":"10.1016\/j.accinf.2012.06.007","article-title":"The relationship between internal audit and information security: An exploratory investigation","volume":"13","author":"Steinbart","year":"2012","journal-title":"International Journal of Accounting Information Systems"},{"issue":"4","key":"2024082915385786300_i1558-7959-27-2-65-Stewart1","doi-asserted-by":"crossref","first-page":"328","DOI":"10.1108\/02686901011034162","article-title":"Internal audit independence and objectivity: Emerging research opportunities","volume":"25","author":"Stewart","year":"2010","journal-title":"Managerial Auditing Journal"},{"key":"2024082915385786300_i1558-7959-27-2-65-Stoel1","doi-asserted-by":"crossref","first-page":"60","DOI":"10.1016\/j.accinf.2011.11.001","article-title":"An analysis of attributes that impact information technology audit quality: A study of IT and financial audit practitioners","volume":"13","author":"Stoel","year":"2012","journal-title":"International Journal of Accounting Information Systems"},{"issue":"2","key":"2024082915385786300_i1558-7959-27-2-65-Stone1","doi-asserted-by":"crossref","first-page":"111","DOI":"10.1111\/j.2517-6161.1974.tb00994.x","article-title":"Cross-validatory choice and assessment of statistical predictions","volume":"36","author":"Stone","year":"1974","journal-title":"Journal of the Royal Statistical Society"},{"issue":"3","key":"2024082915385786300_i1558-7959-27-2-65-Sundaramurthy1","doi-asserted-by":"crossref","first-page":"397","DOI":"10.2307\/30040729","article-title":"Control and collaboration: Paradoxes of governance","volume":"28","author":"Sundaramurthy","year":"2003","journal-title":"The Academy of Management Review"},{"key":"2024082915385786300_i1558-7959-27-2-65-Tucci1","article-title":"How CISOs can leverage the internal audit process","author":"Tucci","year":"2009"},{"issue":"5","key":"2024082915385786300_i1558-7959-27-2-65-VanPeursem1","doi-asserted-by":"crossref","first-page":"489","DOI":"10.1108\/02686900510598849","article-title":"Conversations with internal auditors: The power of ambiguity","volume":"20","author":"Van Peursem","year":"2005","journal-title":"Managerial Auditing Journal"},{"issue":"1","key":"2024082915385786300_i1558-7959-27-2-65-Wallace1","doi-asserted-by":"crossref","first-page":"185","DOI":"10.2308\/jis.2011.25.1.185","article-title":"Information security and Sarbanes-Oxley compliance: An exploratory study","volume":"25","author":"Wallace","year":"2011","journal-title":"Journal of Information Systems"}],"container-title":["Journal of Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/27\/2\/65\/11869\/isys-50510.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/27\/2\/65\/11869\/isys-50510.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,29]],"date-time":"2024-08-29T17:29:43Z","timestamp":1724952583000},"score":1,"resource":{"primary":{"URL":"https:\/\/publications.aaahq.org\/jis\/article\/27\/2\/65\/1579\/Information-Security-Professionals-Perceptions"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013,5,1]]},"references-count":46,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2013,5,1]]},"published-print":{"date-parts":[[2013,12,1]]}},"URL":"https:\/\/doi.org\/10.2308\/isys-50510","relation":{},"ISSN":["1558-7959","0888-7985"],"issn-type":[{"value":"1558-7959","type":"electronic"},{"value":"0888-7985","type":"print"}],"subject":[],"published":{"date-parts":[[2013,5,1]]}}}