Graham Gal

The relationship between internal audit and information security: An exploratory investigation

The internal audit and information security functions should work together synergistically: the information security staff designs, implements, and operates various procedures and technologies to protect the organizations information resources, and internal audit provides periodic feedback concerning effectiveness of those activities along with suggestions for improvement. Anecdotal reports in the professional literature, however, suggest that the two functions do not always have a harmonious relationship. This paper presents the first stage of a research program designed to investigate the nature of the relationship between the information security and internal audit functions. It reports the results of a series of semi-structured interviews with both internal auditors and information systems professionals. We develop an exploratory model of the factors that influence the nature of the relationship between the internal audit and information security functions, describe the potential benefits organizations can derive from that relationship, and present propositions to guide future research.

Specification of internal accounting controls in a database environment

Abstract This paper examines the problem of specifying database security controls in a manner such that the resulting segmentation of data and the patterns of access rights are consistent with traditional accounting concepts that govern segregation of duties. The mechanism we use for implementation of these controls in a relational accounting system is that of a “view” implemented on the Query-by-Example database management system. A number of examples are presented in detail and some further aspects of security and integrity constraints are discussed.

SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs

ABSTRACT: The ever-increasing number of security incidents underscores the need to understand the key determinants of an effective information security program. Research that addresses this topic requires objective measures, such as number of incidents, vulnerabilities, and non-compliance issues, as indicators of the effectiveness of an organizations information security activities. However, these measures are not readily available to researchers. While some research has used subjective assessments as a surrogate for objective security measures, such an approach raises questions about scope and reliability. To remedy these deficiencies, this study uses the COBIT Version 4.1 Maturity Model Rubrics to develop an instrument (SECURQUAL) that obtains an objective measure of the effectiveness of enterprise information security programs. We show that SECURQUAL scores reliably predict objective measures of information security program effectiveness. Future research might use the instrument as a surrogate effecti...

Can Sustainability Be Budget for? Evidence from Iran

Sustainability has been interpreted as the fulfillment of current generations’ needs without jeopardizing the needs of future generations. Sustainable development has evolved into an important area of study and has recently entered into governments’ planning and budgeting. This evolution has followed similar pattern in Iran, where the discourse around sustainability and sustainable development in different parts of government and society are increasing. In this chapter, we survey the role of sustainability and its requirements as well as the consequences in macroplanning and budgeting in Iran. For this study, the documents related to budgeting which contain information about sustainability and the way in which sustainability has grown in Iran’s budget preparation are investigated. For this purpose, the Iran’s budget circulars for the 10 years from 2007 to 2016 are reviewed with particular Iran’s attention to the level of sustainability considered. Finally, a picture from budgeting and macroplanning in Iran with the advent of sustainability issues is presented. Sustainability issues like sustainable development and environmental issues have gradually evolved into considering economic, social, and environmental impacts. This chapter will include analysis of all of the three sections. This research will be carried out using content analysis of the documents. Using this method, we are going to investigate, classify, and report the relevant documents. Among the various techniques of content analysis, our study will examine frequency, clusters, and categories. Using these techniques, our aim is to discover sustainability status in Iran’s budget.

Are Sustainability Disclosures Fraudulent

Firms’ financial statements have a well-established set of guidelines for their preparation, presentation, review, and release to the general public. In addition, there has been a great deal of research concerning the sections of the report that are more important. For instance, the net income figure is extremely important and therefore auditors will focus their review procedures to ensure the veracity of this number. In contrast, the procedures used to prepare and release information about a firm’s sustainability activities and its socially responsible performance are not nearly as formal as those for financial statements. There is increasing evidence that stakeholders do use this corporate socially responsible (CSR) information to make decisions concerning their interactions with firms. However, it is not established which specific information in the broad range of a firm’s CSR disclosures is most critical for the different decisions made by stakeholders. The combination of a lack of a well-established reporting framework and a lack of agreement on the most important attributes describing the firm’s sustainability activities makes it difficult to determine whether a material misstatement of CSR activities has occurred. This paper looks at the incentives to disclose favorable CSR information and omit unfavorable CSR information, situations in which this might have occurred, and finally how these disclosures might be viewed as fraudulent.