The Internal Auditor's Role in Cybersecurity Governance : A qualitative study about the internal auditor's influence on the people factor of cybersecurity

Abstract: Internal auditors have a substantial impact on organisations’ governance. Hence this research aims to uncover the practice of internal auditors in Sweden, especially their part in cybersecurity and the people factor. While previous research point to internal auditing being an oversight governance mechanism for organisations, the threat of a changing risk landscape due to increased digitalisation and business transactions occurring in cyberspace leaves more questions undiscovered. The research implements a qualitative approach. The data was collected by semi-structured interviews conducted with members from IIA working as internal auditors. The IPPF authoritative guidance was also used as complementary data. The data was later analysed through theories such as the Three Lines of Defense. The results demonstrated how internal auditors provide assurance heavily influence organisations’ cybersecurity. However, it is equally essential for auditors to consider the indirect impact they have on the organisation, especially regarding the people factor of cybersecurity and the amount of influence internal auditors have. These findings indicate the need to focus on researching the indirect influence internal auditors have through their soft skills. Professionals should also reflect on their influence in their organisation not to overshadow other important risks.