The role of IT audit and management in cybersecurity governance: A bibliometric review

Purpose This study aims to investigate how the internal audit function helps boost an organisation’s cybersecurity quality. The authors focus on the key roles played by the chief audit executive (CAE) competencies in terms of their IT expertise, qualifications and tenure, their interaction with the audit committee (AC), the organisation’s IT governance structure and the role of internal audit (IA) in overseeing cybersecurity. Design/methodology/approach Data were collected via a survey questionnaire distributed to internal auditors and audit committee members in UK-listed companies, supplemented by relevant archival data where appropriate. Findings Panel regression findings, validated across both CEAs and AC members, reveal that CAE IT expertise, private CAE-AC meetings and robust IT governance significantly improve cybersecurity quality. Crucially, each additional year of IT audit expertise increases perceived cybersecurity quality by approximately 0.30 units, confirming the high value of deep IT audit expertise. Additionally, IA’s role in policy review, regulatory compliance and risk assessment strengthens cyber resilience. Practical implications The findings carry important practical implications for organisations, regulators and society. Strengthening IT competencies within internal audit, fostering private dialogue between CAEs and audit committees and embedding cybersecurity into corporate governance frameworks can significantly improve resilience. Beyond organisational benefits, enhanced cybersecurity audit quality supports consumer protection, safeguards privacy and reinforces public trust in digital infrastructures such as health care, banking and government services, aligning with global standards like the General Data Protection Regulation (GDPR) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Originality/value The study makes an original contribution to the literature by examining how synergies among the CAE’s IT competencies, interaction with the audit committee, IT governance and internal audit functions shape the quality of cybersecurity audits.

Cybersecurity governance is increasingly recognized as a cornerstone of national security, especially in protecting critical infrastructure sectors such as energy, healthcare, finance, telecommunications, and transportation. This study investigates how governance frameworks, IT auditing, and risk management practices collectively reduce cyber threats and enhance the resilience of essential services. Using data from CISA, GAO audit reports, Verizon DBIR, and the World Economic Forum, the study assesses governance effectiveness through a combination of statistical techniques, including regression analysis, survival modeling, and data reduction methods. Findings reveal that organizations adopting both the NIST Cybersecurity Framework and ISO 27001 report a 75.8% reduction in cyber exploits, while IT audits lead to a 38–45% decrease in identified vulnerabilities. Additionally, proactive risk management strategies significantly delay the occurrence of cyber incidents, extending the average time to breach by over 260 days. These results underscore the critical importance of structured cybersecurity governance in minimizing threats and ensuring the continuity of national infrastructure. However, the study also highlights several implementation challenges, including regulatory inconsistencies, budget constraints, and a shortage of skilled cybersecurity professionals. These obstacles vary by region and sector, with under-resourced public institutions and developing economies facing the most significant barriers to effective governance. Recommendations include regulatory harmonization, mandating regular cybersecurity audits, and increasing investments in cybersecurity training and threat intelligence particularly in regions with fragmented oversight. The study offers valuable guidance for policymakers, regulators, and industry leaders seeking to strengthen national resilience in an evolving cyber threat landscape.

IT auditing and governance have fueled innovation and change in international trade compliance, yet our knowledge of this area is not complete. To deepen our knowledge, this current research utilized descriptive, bibliometric, and content analyses to explore 240 Web of Science articles. We examined recent publication trends as well as the intellectual topography of this research field. We developed a framework that integrates various concepts, separating IT governance and audit in global trade compliance into four principal components: legal compliance, ethical issues, monitoring, and incentives. These components were analyzed through two theoretical perspectives: governance and performance. This framework suggests some major avenues for future research while filling the existing gaps in how IT governance and audit influence global trade compliance.

A company’s performance can be measured by the number and satisfaction of customers, which helps in maintaining customer relationships. Indicators such as customer satisfaction, perception of service, and loyalty can be derived from the Customer Perspective of the Balance Scorecard (BSC). Conducting an IT governance audit is essential to understand how customers perceive a service. The use of the COBIT 4.1 Framework for IT governance audits is recognized for its detailed process, both for business and governance purposes, to avoid vulnerabilities and threats, thereby increasing customer satisfaction. Effective IT governance plays a crucial role in enhancing customer satisfaction and achieving organizational success. This research aims to analyze IT governance audits from a customer perspective using the COBIT 4.1 framework, with a focus on aligning IT strategy with business goals to meet customer expectations. The research method involves key processes in PO8 (Manage Quality) and PO10 (Manage Project) to determine quality standards and influential budgets. Integration with computational techniques for data analysis and IT audit algorithms is carried out to build strong IT governance practices. The computational audit results show maturity levels of 2.59 for PO8 and 3.02 for PO10, indicating areas needing improvement in product quality management and project execution to better meet customer needs. These findings underscore the importance of integrating computational insights to optimize IT governance frameworks and improve organizational performance, especially in customer retention through enhanced project quality management.

The use of IT in the financial and accounting processes is growing fast and this leads to an increase in the research and professional concerns about the risks, control and audit of Accounting Information Systems (AIS). In this context, the risk and control of AIS approach is a central component of processes for IT audit, financial audit and IT Governance. Recent studies in the literature on the concepts of risk, control and auditing of AIS outline two approaches: (1) a professional approach in which we can fit ISA, COBIT, IT Risk, COSO and SOX, and (2) a research oriented approach in which we emphasize research on continuous auditing and fraud using information technology. Starting from the limits of existing approaches, our study is aimed to developing and testing an Integrated Approach Model of Risk, Control and Auditing of AIS on three cycles of business processes: purchases cycle, sales cycle and cash cycle in order to improve the efficiency of IT Governance, as well as ensuring integrity, reality, accuracy and availability of financial statements.Keywords: Risk, Control, Audit, IT Governance, Accounting Information Systems1 IntroductionThe high level of using the information technology in financial and accounting processes in organizations [1] results in an increase in research and professional concerns about the risks, control and audit of Accounting Information Systems (AIS).The risks and vulnerabilities of Accounting Information Systems may lead to material misstatements in financial reporting. Most times these risks have negative impact on the integrity, accuracy, reality and availability of financial reports [2]; [3]; [4]. In this context, risk and AIS control approach is central to both financial and IT audit processes and IT governance processes within the organization.In this study, researching financial and IT audit process relations, and using the concepts of risk and control, we developed and applied an integrated approach model of risk, control and auditing of AIS. The purpose of this model is the integration approach of risk, control and AIS audit in the IT audit processes and financial audit processes in order to improve the efficiency of IT Governance, as well as ensuring integrity, reality, accuracy and availability of financial statements.The paper is structured in four parts. In the introduction we presented the current research regarding the integrated approach of risk, control and auditing in the IT auditor's perception, as well as the financial auditor's perception and we showed the need to develop a model. In the second part, we presented the research methodology. In the third part, we presented the model development and we discussed the findings of applying the model. Finally, we presented our conclusions regarding the research.2 Literature ReviewRecent studies in the literature on the concepts of risk, control and auditing of AIS outline two approaches: (1) a professional approach in which we can fit ISA, COBIT, IT Risk, COSO and SOX [5]; [6]; [7]; [8]; [9]; [10], and (2) a research oriented approach in which we emphasize research on continuous auditing and fraud using information technology [11]; [12]; [13].According to IFAC-ISA 315 financial auditors must understand and analyze AIS, which can affect financial reporting particularly on: significant transactions systems for financial statements; automatic or manual control pro- cedures through which transactions are recorded, stored and processed in the general ledger, and reported in the Financial Statements; the process of obtaining and presenting the financial reports from the AIS [5].Also in the professional approach of the risk management process and ensuring the control of AIS, we noticed the COBIT 5 framework [6]. According to ISACA, COBIT 5 is the only business framework for the governance and management of enterprise IT. Analyzing the objectives and the content of COBIT 5, we can say that starting with this version, ISACA has an integrated approach model of the risk, control and auditing of AIS. …

This study investigates the impacts of IT governance, audit, and information security on digital customer engagement with a focus on the moderated mediating effects of unsaid electronic communication (UEC). Governance processes have expanded in significance based on the potential for a foundation of a trusted environment—particularly as organizations in the Digital Age expand their digital operations (Transformation 89–93)—with a solid governance framework, strong IT audit documentation, and cybersecurity penetration over time. The paper commends a conceptual model that designates the quality of governance, audit intensity, and protection of information assets as directly associated with digital customer engagement, as well through indirect connections by their impact on implicit e-signals, which include system reliability, trust cues, privacy assurance, and security pointers. These non-verbal, text-based computer consciousness affect levels of trust, credibility, and perceived institutional legitimacy by customers. The findings recommend that engagement in digital is not only a matter of marketing strategies but also significantly underpinned by governance-based responsibilities and risk management capabilities. The study equipment has valuable implications on how IT governance, audit, and security could be adopted for achieving customer engagement intentions when the digital environment is unstable.

Purpose: In order to better understand how IT governance COBIT5 (planning and organization (PO), acquisition and implementation (AI), support and delivery (SD), monitoring and evaluation (ME), guidance and control (GC), and audit risks interact in Jordanian businesses, this study will examine the moderating role of audit quality. Design/methodology/approach: This study uses a mixed method combining quantitative and qualitative method. Primary data: IT governance and audit risk with questionnaires distributed to 528 workers from each of the 176 Jordanian companies. The three employees served as a representative sample from the finance, internal audit, and IT departments. Secondary data: Using SPSS software, the data was analyzed to determine the audit quality using the financial statements of Jordanian businesses listed on the Amman Stock Exchange for the year 2020. Results and conclusion: The results of this study have shown that the COBIT5 framework is an important accountability mechanism for motivating expected behavior in the workplace when it comes to technology use. Audit risk is directly affected by the IT governance structure. Practical implications: This study is important for companies in Jordan, by presenting an integrated framework in this study that combines IT governance, audit risks and audit quality. This study was expected to facilitate the companies' efforts by ensuring a sufficient degree of confidence in the applied accounting system and improving the information security within the system to maintain the organizations and audit quality at the same time. Originality/value: This study adds to the body of knowledge on IT governance, audit risk, and audit quality that has concentrated on developing nations, particularly Jordan.

With the development of information technology to carry out effectively their missions the largest part of a variety of organizations, government agencies and services have become dependent on computer systems. For each of the organization’s activities the IT environment must be properly studied and evaluated in which they perform the basic activities. Therefore, in such environment it is necessary to make the information technology audit of IT systems operating reliability and functionality in order to obtain reasonable assurance. IT governance and information systems audit is imperative for successful governance. This paper with a comprehensive literature review defines information technology audit, investigates how IT audit performs in the public sector of Georgia. Also it provides the thorough explanation of the experiences of the Georgian State Audit Office. The study analyses the challenges of the IT audit and point to future development directions of IT audit in the public sector. Although considerable research exists on IT control and on internal auditing, there is limited study that refers to IT evaluation control activities in the public sector auditing. As such, the findings from this research would generate new conclusion to enrich the existing literature on IT related auditing. The findings also may improve the IT evaluation activities in the Georgian public sector.

Chapter 3 - Internal Auditing

In recent years, IT governance has been a subject of discussion among academics and practitioners. The concern has been on the need to implement governance mechanisms and ensure the right balance of these mechanisms. However, the audit of IT governance mechanisms has received very little attention. This paper aims to analyse the overall impact of IT governance audits on the maturity and coherence of governance mechanisms. Guided by the configurational theory, the researchers argue that when governance mechanisms operate coherently and are regularly audited, there will be improvement in IT governance and the performance of financial institutions. In this study, seven financial services companies in Ghana were reviewed, and their IT governance maturity was assessed after seven months of auditing with a COBIT 5‐driven IT audit framework. Two surveys were conducted, one before and one after the auditing. The findings of the study confirm the claim that regular auditing improves IT governance maturity and coherence. Several governance mechanisms within the case organizations improved to one higher level of maturity on the Capability Maturity Model. This improvement was after seven months of auditing. Regular auditing also improved IT roles and responsibilities, empowered IT personnel and improved the IT budgetary control and architecture of the entities. This study has implications for practice. It emphasizes the importance of independent regular IT auditing and the need to ensure coherence among IT governance mechanisms if effective IT governance is to be achieved in financial institutions.

The article examines issues of the state and directions of IT audit development. The relevance of the topic lies in the fact that the conditions of the digital economy are characterized by the rapid pace of changes in the field of information technologies, which requires IT audit to constantly develop and adapt to new challenges. The purpose of the article is to generalize views on the interpretation of the essence of IT audit, to characterize the tasks, types, standards in the field of IT audit, to justify the main stages of IT audit, to generalize the tools of IT audit, to determine the main directions of the development of IT audit in the conditions of the digital economy. Methodical approaches to the essence of IT audit by scientists and practitioners are analyzed in the article. Studies have shown that some specialists define IT audit as a type of audit, others propose to understand and apply it only as an intermediate stage of financial audit, and some - as a separate IT consulting service. The tasks of IT audit, its types and standards are described. The main types of audit evidence, methods and tools, as well as sources of information that can be used when conducting an IT audit are analyzed. The main stages of an IT audit are highlighted: preliminary research of the IT audit object and internal audit planning; IT audit and analysis; reporting on IT audit results; tracking the results of implementation of audit recommendations. The recommended process of organizing an internal IT audit at the enterprise. The IT audit toolkit is summarized, namely: IT audit goals; the necessity of its implementation; objects of IT audit; equipment and software used in IT audit, etc. Based on the conducted research, the advantages of conducting an IT audit are summarized. The following areas of IT audit development in the conditions of the digital economy have been determined: digital transformation; cyber security; data analytics; cloud technologies; automation; regulatory requirements. The development of IT audit is aimed at improving its methods and approaches, which would meet the modern requirements of business and technology, ensuring the reliability and efficiency of information systems of enterprises.

I n 2008, the Research and Publications Committee of the Information Systems Section of the American Accounting Association decided to sponsor a special issue of the Journal of Information Systems (JIS) entitled ‘‘Reviews of Information Systems Research.’’ The objective of the special issue is to ‘‘publish papers that review a stream of research in information systems (IS) broadly defined.’’ The Committee intended that submissions would review and integrate the IS (information systems) and AIS (accounting information systems) literatures and suggest future research directions in both disciplines. The special issue followed a previous valiant and groundbreaking effort in IS/AIS research integration for the IS section by Professors Vicky Arnold and Steve Sutton (Arnold and Sutton 2002). As editor of this special issue, I took a somewhat different approach to the task than is normal. First, rather than a regular call for papers, I requested researchers to submit extended abstracts. The objectives of this approach were to ensure that the scope of the proposed article was concomitant with the objective of the special issue and to identify any potential overlaps in subject matter. In this process, I was able to negotiate the amalgamation of several writing teams. I also ensured that where there was commonality in subject matter, the writing teams were introduced to each other and worked to manage the writing process. Second, I had clear views on how the papers should be structured. As an author of one of the chapters in the earlier monograph for the IS section, I was impressed with the systematic approach Dr. Arnold took to ensuring a common approach in the structure of the contributions and the discipline exercised in ensuring that the goals of the monograph were achieved. It is simpler to achieve a common approach in a monograph than it is in separate papers in JIS. My ambition was, then, to strongly suggest directions to authors but not to mandate a single approach. As a consumer of many literature reviews, I realize how easy it is to maroon readers in a Sargasso Sea, not knowing how to navigate their way. Readers need clear navigational markers and a sense of direction. Third, I saw the review process as a mutual exercise among writing teams, reviewers, and myself as editor. Given the scope of this exercise, I deliberately took a more active editorial role than is normal. These objectives probably added somewhat to the time taken for publication but did, I believe, improve the quality of the papers.

Strategic IT management is increasingly concerned with requirements from regulatory bodies. This conformance part of IT management complements the classic performance side. Ideally both are integrated into IT Governance of an enterprise or organization. With the need to prove compliance with a wide diversity of laws and rules for IT systems (technology, processes, rules) the demand for proven support methods grows. Specifically best practice models are beginning to gain awareness and acceptance for IT Audits and for the less formal IT Assurance projects. The Control Objectives for Information and Related Technology (CobiT) reference model is increasingly being discussed as a framework of choice for IT Audits and IT Assurance. This chapter introduces requirements for IT Audits and IT Assurance projects and discuss the boundaries of applying the CobiT IT Assurance Guide in such environments.

This book discusses the digital transformation of auditing and its impacts on internal audits. It poses the question of whether digitalization significantly impacts internal audit practices and methodologies, information technology/information system audit, IT governance, and risk management. Internal audit, particularly IT audit, addresses corporate strategy and alignment, corporate governance, IT governance, agility, risk management, and compliance

Information technology (IT) governance is a key component of corporate governance. Effective IT governance can support web-based strategic initiatives such as the dissemination of information on corporate web sites. However, the IT governance literature does not provide insights about the role of IT governance in controlling this information. There is also a lack of research in the web-based reporting literature on the important issue of control of web site content. This comparative case study aims to explore the relationships between IT governance and the control of web site content. In doing so, IT governance structures, processes and relational capabilities, as well as web site content control, are first described for each of four cases. Then, profiles of relationships between IT governance and web site content control are identified and key attributes characterizing the profiles are outlined. Findings suggest that IT governance within firms is more developed than the control of web site content. Moreover, IT governance structures, processes and relational capabilities can be related to control of web site content processes. IT governance structures can also be related to control of web site content structures and relational capabilities. This study contributes to the governance, control and web-based reporting literatures as an exploratory step before building a theory of relationships between IT governance and web site content control. Further, the study has practical implications as it enhances the understanding of the role of Boards of Directors, senior executives and internal auditors in IT governance and the control of web site content.