Internal Auditing in a digitalised world : A qualitative study about the internal auditor´s approach in providing assurance of cybersecurity

Abstract: This study aims to contribute to internal auditing´s body of knowledge. This will be done by identifying and evaluating the approaches taken by internal auditors in assuring in the management of an organisation's cybersecurity. Qualitative research has been undertaken for this study by collecting data through semistructured interviews. A total of five internal auditors, also members of the IIA, were interviewed for the data. Thematic analysis was used to analyse the data. Previous literature was examined, and four concepts were identified to analyse the data. These are internal auditing, cybersecurity, information security and assurance. Data collected through the interviews have been studied through these concepts and the theory of the Three Lines of Defence Model. Results showed that internal auditors assure reasonable cybersecurity through their audits from an independent position. Both internal auditors and information security are critical for cybersecurity. Assuring cybersecurity is challenging due to the people factor. Furthermore, internal auditors exert huge influence within organisations which should be used with integrity and objectivity. The study shows that internal auditors should expand their skills and competencies to assure cybersecurity in today´s new risk landscape. Internal auditors should also use their influence actively to assist in building a cybersecurity-aware culture.