Here are some papers on Security auditing with a focus on Cloud Security Auditing:

https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6662349

Chapter Cloud Security Auditing: Major Approaches and Existing Challenges

The first talks about the factors making Cloud security different, which in more generic sense, would apply to thinking about how technology affects auditing. The second is a survey of existing Cloud Security auditing.

You mentioned that you are interested in the factors that are important in IT security auditing, and this paper looks at how communications has an impact in influence management:

Article The Impact of Persuasive Response Sequence and Consistency w...

Hello,

The role of an audit is to provide evidence on how effective are the controls by analyzing records and collecting evidence. Audit generates artifacts and results. So

-unclear audit objectives are going to affect negatively its effectiveness. -Methodology type can also affect. Qualitative vs quantitative and clarifying them.

-Human aspect doesn't often get enough attention but it's important. For example considering cognitive bias as a factor that can affect objectivity. It's important to consider it in, for example, threat audit.

-We can't ignore that an audit involves some level of uncertainty and IT systems are complex. Does auditor focus more on controls and less on risks? Some of the things aren't broken yet but they will be, will auditor seek them?

-There may be an existing conflict between different involved parties. Or for example, afterwards trying to disagree with auditor findings can also affect negatively the results as a discussion or rationale are better.

https://reader.elsevier.com/reader/sd/pii/S1467089521000506?token=178D121403233FFC87094A9501311EACBE7401AD928CBF9BC14126C8354CE81F3DFD0BFDAA7BCF091AF3048ACFC02885&originRegion=us-east-1&originCreation=20221202061448

https://www.isaca.org/resources/isaca-journal/issues/2022/volume-3/how-effective-is-your-cybersecurity-audit

Pierangelo Rosati, Fabian Gogolin & Theo Lynn (2022) Cyber- Security Incidents and Audit Quality, European Accounting Review, 31:3, 701-728, DOI:10.1080/09638180.2020.1856162

https://www.pcisecuritystandards.org/about_us/

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

https://www.sans.org/information-security-policy/

https://www.iso.org/isoiec-27001-information-security.html

Dear Roshni Boolakee,

You may want to look over the following data.

The Influence of Internal Audit on Information Security Effectiveness:

Perceptions of Internal Auditors ABSTRACT This paper presents the results of a survey of internal auditors’ perceptions about the nature of the relationship between the information security and internal audit functions in their organization and the effect of that relationship on their organization’s information security efforts. We find that internal auditors perceive that increasing the frequency with which they review some information security activities improves the quality of the relationship between the two functions. However, the quality of their relationship with the information security function does not affect either the number of security incidents or the number of audit findings related to information security issues. We also find that internal auditors report that the frequency of audit reviews of information security affects the number of audit findings related to information security but does not affect the number of security incidents. We discuss the implications of our findings for both research and practice. Keywords: Internal audit, information systems security, information security governance, perceptions, survey

https://www.Information-Security-Effectiveness.pdf (jebcl.com)

_____

_____

INFORMATION SECURITY EFFECTIVENESS: A RESEARCH FRAMEWORK

Information security has taken on increasing importance as the size and complexity of IT issues continues to grow. Research literature in information security suggests that clarity in policies, systems auditing, and clear deterrence practices enhance organizational information security effectiveness. In this paper we analyze research framework defining how the three constructs: security policies, deterrence practices and systems auditing impact information security effectiveness. A survey was conducted to collect data, the results of which suggest that there is a significant relationship between security policies and systems audit with security effectiveness (PDF) Information Security Effectiveness: A Research Framework, Issues in Information Systems. Available from:

https://www.researchgate.net/publication/259453838_Information_Security_Effectiveness_A_Research_Framework_Issues_in_Information_Systems

_____

_____

Thank you all, insightful

Hello Roshni,

I came across this paper some time back. It can be useful

Article Effectiveness of cybersecurity audit

https://www.sciencedirect.com/science/article/pii/S1467089521000506

Thank you all. I appreciate. I will share my findings soon.