The Impact of Internal Audit on Effectiveness in Cybersecurity: An Application of Internal Auditors' Perceptions

Ebru TÜZEMEN; Mihriban COŞKUN ARSLAN

doi:10.5281/zenodo.18141435

Authors

Ebru TÜZEMEN Tokat Gaziosmanpasa University https://orcid.org/0009-0000-8843-7984
Mihriban COŞKUN ARSLAN Tokat Gaziosmanpasa University https://orcid.org/0000-0002-6196-9304

DOI:

https://doi.org/10.5281/zenodo.18141435

Keywords:

Internal Audit, Cybersecurity, University Governance, Risk Management, Higher Education

Abstract

This study examines internal audit effectiveness in cybersecurity from the perspective of internal auditors at Turkish universities. Internal audit's role in cybersecurity governance within higher education represents an emerging research area, despite the rapid rise in cyber threats. Therefore, an online questionnaire was distributed to 168 internal auditors employed by state and foundation universities in Turkey, and 52 usable responses were received (30.9% response rate). The questionnaire contained demographic questions and 27 five-point Likert-scale items relating to internal audit effectiveness in cybersecurity. Exploratory factor analysis revealed five factors that summarized the 27 cybersecurity audit effectiveness items, accounting for 78.9% of the total variance. The study also discovered some significant demographics about internal audit in relation to cybersecurity. Over 51.9% of universities reported they outsourced cybersecurity services, 80.8% of internal audit units reported that they had never identified common cyber threats, while also 44.2% of the respondents reported that cybersecurity had never been discussed at the board level. An ANOVA test was also conducted, and the findings highlighted significant differences regarding cybersecurity perceptions based upon the educational background of auditors and knowledge level of the auditors (p<0.05). This study highlights important gaps in governance in relation to cybersecurity and provides evidence for promoting internal audit capabilities for dealing with digital risk management in Turkish universities.

References

Arcagök, M. S., & Erüz, E. (2006). Kamu mali yönetimi ve kontrol sistemi. İstanbul: Maliye Hesap Uzmanları Derneği Yayınları.

Aydın, S. K. (2021). Üniversitelerde iç denetim ve misyon sorunu. Ünye İktisadi ve İdari Bilimler Fakültesi Dergisi, 4(2), 9-22. doi:10.31834/uiibfd.959212

Baker Tilly. (2024). Going back to basics: Higher education internal audit challenges, risks and strategies. Retrieved September 15, 2024, from https://acua.org/resource/going-back-to-basics-higher-education-internal-audit-challenges-risks-and-strategies/

Bayrakçı, E., & Demirel, A. (2017). İç denetimin yapısal ve işlevsel sorunlarının Türkiye'deki üniversiteler bağlamında analizi. Karamanoğlu Mehmetbey Üniversitesi Sosyal ve Ekonomik Araştırmalar Dergisi, 19(33), 52-60. doi:10.18493/kmusekad.400150

BitLyft. (2023, August 18). The state of higher education cybersecurity: Top insights and trends. Retrieved February 12, 2024, from https://www.bitlyft.com/resources/the-state-of-higher-education-cybersecurity-insights-trends

BitSight. (2024, March 6). 7 cybersecurity frameworks to reduce cyber risk in 2024. Retrieved October 15, 2024, from https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk

Ceyhan, İ. F. (2010). İç denetim ve kurumsallaşma (Unpublished master's thesis). Kırıkkale Üniversitesi Sosyal Bilimler Enstitüsü, Kırıkkale.

CompTIA. (2024). State of cybersecurity 2024. Retrieved November 8, 2024, from https://www.comptia.org/content/research/state-of-cybersecurity-report

ConnectWise. (2024). Top cybersecurity frameworks for 2024. Retrieved August 22, 2024, from https://www.connectwise.com/blog/cybersecurity/cybersecurity-frameworks

CrossCountry Consulting. (2024, April 15). Internal audit roles and responsibilities in 2024. Retrieved September 28, 2024, from https://www.crosscountry-consulting.com/insights/blog/internal-audit-roles-responsibilities/

Cybersecurity Tribe. (2024, April 15). NIST cited as the most popular security framework for 2024. Retrieved October 5, 2024, from https://www.cybersecuritytribe.com/articles/nist-security-framework-2024

EDUCAUSE. (2023a, October). 8 considerations when establishing cybersecurity in higher education. EDUCAUSE Review. Retrieved January 18, 2024, from https://er.educause.edu/articles/sponsored/2023/10/8-considerations-when-establishing-cybersecurity-in-higher-education

EDUCAUSE. (2023b, December). 3 key solutions to higher education cybersecurity workforce challenges. EDUCAUSE Review. Retrieved March 5, 2024, from https://er.educause.edu/articles/sponsored/2023/12/3-key-solutions-to-higher-education-cybersecurity-workforce-challenges

Forvis Mazars. (2024, April 8). Navigating the updated IIA's global internal audit standards. Retrieved July 20, 2024, from https://www.forvismazars.us/forsights/2024/03/navigating-the-updated-iia-s-global-internal-audit-standards

Güler, A., & Arkın, A. K. (2019). Siber hijyenin sağlanmasında iç denetimin rolü. Denetişim, (19), 17-40.

Gürler, Ö. K., & Demirogları, S. (2020). Determinants of household education expenditures by education level: the case of Turkey. International Journal Of Contemporary Economics And Administrative Sciences, 10(1), 235-258.

Hazaea, S. A., Tabash, M. I., Khatib, S. F. A., Zhu, J., & Al-Kuhali, A. A. (2020). The impact of internal audit quality on financial performance of Yemeni commercial banks: An empirical investigation. Journal of Asian Finance, Economics and Business, 7(11), 867-875. doi:10.13106/jafeb.2020.vol7.no11.867

Hyperproof. (2024). The future of auditing: What to look for in 2024. Retrieved November 12, 2024, from https://hyperproof.io/resource/the-future-of-auditing-2024/

IIA. (2024). Global internal audit standards. Retrieved August 15, 2024, from https://www.theiia.org/en/standards/2024-standards/global-internal-audit-standards/

Inside Higher Ed. (2024, July 1). University cybersecurity threats remain a concern. Retrieved October 8, 2024, from https://www.insidehighered.com/news/tech-innovation/2024/07/01/university-cybersecurity-threats-remain-concern

ISO. (2022). ISO/IEC 27001:2022 - Information security management systems. Retrieved May 14, 2024, from https://www.iso.org/standard/27001

ISC2. (2023). 2023 cybersecurity workforce study. Booz Allen Hamilton. Retrieved February 25, 2024, from https://www.isc2.org/Research/Workforce-Study

Kalender, İ. (2008). Türk kamu idaresinin yeni yönetim ve denetim sistemleri. Türk İdare Dergisi, (468), 87-103.

KPMG. (2024, January 31). 2024 global internal audit standards. Retrieved June 18, 2024, from https://kpmg.com/us/en/articles/2024/global-internal-audit-standards.html

Korkmaz, U. (2007). Kamuda iç denetim. Bütçe Dünyası Dergisi, 2(25), 4-15.

Malwarebytes Labs. (2023). Ransomware attacks in education sector report. Malwarebytes. Retrieved January 30, 2024, from https://www.malwarebytes.com/resources/files/2024/01/education-sector-ransomware-report

Moody's Investors Service. (2024). Higher education cybersecurity budget analysis. Moody's Corporation. Retrieved September 10, 2024, from https://www.moodys.com/research/higher-education-cybersecurity-budget-analysis

NIST. (2024). Cybersecurity framework 2.0. Retrieved June 25, 2024, from https://www.nist.gov/cyberframework

Ocak, H. S. (2021). İç denetimin gelişen ve değişen dünyasında siber güvenlik ve denetim (Unpublished master's thesis). Marmara Üniversitesi, İstanbul.

OneTrust. (2024). ISO 27001 vs. NIST cybersecurity framework. Retrieved August 8, 2024, from https://www.onetrust.com/blog/iso-27001-vs-nist-cybersecurity-framework/

Öztürk, M. S. (2018). Siber saldırılar, siber güvenlik denetimleri ve bütüncül bir denetim modeli önerisi. Muhasebe ve Vergi Uygulamaları Dergisi, 11(Özel Sayı), 208-232. doi:10.29067/muvu.340848

Pickett, K. S. (2010). The internal auditing handbook (3rd ed.). New York, NY: John Wiley & Sons.

RSM. (2024). IIA issues 2024 global internal audit standards to guide the profession's future. Retrieved July 5, 2024, from https://rsmus.com/insights/services/risk-fraud-cybersecurity/iia-issues-2024-global-internal-audit-standards-to-guide-future.html

Saruhan, Ş. C., & Özdemirci, A. (2018). Bilim, felsefe ve metodoloji (5th ed.). İstanbul: Beta Basım Yayım Dağıtım A.Ş.

Selimoğlu, S. K., & Saldı, M. H. (2019). İşletmelerde siber risklerin analizinde, haritalanmasında ve değerlendirilmesinde iç denetimin rolü. Muhasebe ve Denetime Bakış, 19(57), 75-92.

Slapničar, S., Vuko, T., Čular, M., & Drašček, M. (2022). Effectiveness of cybersecurity audit. International Journal of Accounting Information Systems, 44, 100548. doi:10.1016/j.accinf.2021.100548

StrongDM. (2024, January 22). Cybersecurity audit: The ultimate guide for 2024. Retrieved September 3, 2024, from https://www.strongdm.com/blog/cybersecurity-audit

UpGuard. (2024). How to perform a cybersecurity audit for colleges & universities. Retrieved November 18, 2024, from https://www.upguard.com/blog/how-to-perform-a-cybersecurity-audit-colleges-universities

Uysal, M. C. (2018). Kamu kurumlarında kurumsal risk yönetimi ve risk odaklı iç denetim: İç denetçiler üzerine bir araştırma-II. Denetişim, (18), 35-44.

World Economic Forum. (2024). Global cybersecurity outlook 2024. Geneva: World Economic Forum. Retrieved October 20, 2024, from https://www.weforum.org/reports/global-cybersecurity-outlook-2024/

Yılmaz, O. (2018). Küreselleşme sürecinde dönüşen güvenlik algısı ve siber güvenlik. Cyberpolitik Journal, 2(4), 22-43. doi:10.1234/cyberj.2018.389915

Zorlu, M. (2014). Kâr amacı gütmeyen organizasyonlarda iç kontrol ve iç denetim: Bir devlet üniversitesinde uygulama (Unpublished master's thesis). Nevşehir Hacı Bektaş Veli Üniversitesi Sosyal Bilimler Enstitüsü, Nevşehir.