INTEGRATING CYBERSECURITY INTO INTERNAL AUDIT THROUGH A SELF-ASSESSMENT TOOL BASED ON A SYSTEMATIC LITERATURE REVIEW

CERNOVSCHI Cristina-Raluca

Stefan cel Mare University of Suceava, România

Email: cristina.cernovschi09@gmail.com

https://orcid.org/0009-0001-6548-2608

CIUBOTARIU Marius-Sorin

Stefan cel Mare University of Suceava, România

Email: marius.ciubotariu@usm.ro

https://orcid.org/0000-0002-8560-9223

MIHAILA Svetlana

Academy of Economic Studies of Moldova, Republic of Moldova

Email: svetlana.mihaila@ase.md

https://orcid.org/0000-0001-5289-8885

DOI: https://doi.org/10.36004/nier.es.2025.1-08

JEL Classification: M40, M41

UDC: 336.76

Received 10 December 2024

Accepted for publication 15 March 2025

SUMMARY.

.In an era where technological innovations are reshaping organisations' operational strategies, bringing new challenges related to data protection and privacy, internal auditing is compelled to expand its scope to include the risks associated with cybersecurity. In this context, we propose a systematic review of 16 studies indexed in the Web of Science database covering the period 2017-2025, selected through clear inclusion and exclusion criteria, based on capturing the interdependence between the internal audit function and an enterprise's cybersecurity to assess the contribution of internal auditors in mitigating cyber risks. The results are presented as a categorisation of the available studies according to the ideas addressed by the authors, as well as a company-level self-assessment for the integration of cybersecurity into the internal audit process. These findings are of dual relevance: firstly, they assist academics in tracking the main interests in this area and identifying gaps in the literature; secondly, they help companies diagnose the maturity level of integrating cybersecurity into internal audit processes. However, these results are limited by the analysis of a small number of studies, as restricted access to some articles prevented their inclusion in the review.

Keywords: internal audit, cybersecurity, innovative technology, assurance, cyber risks

Introduction

With the increasing assimilation of manual processes by intelligent technologies, cybersecurity is becoming an emerging topic among internal audit committees. The main risk factor of cyber-attacks is the misappropriation of a company's assets or the manipulation of data on a computer through the illegal use of hacking knowledge (Dutchak, R., et al.,2021) and differs from other illegalities in that it takes place in cyberspace, not requiring the offender to move physically to the scene of the action. According to a report by IBM (2024) analyzing the financial impact of data breaches globally, in 2024, cyberattacks cost companies an estimated $4.88 million, up 10 per cent from the previous year, and on top of that this was the highest since the pandemic. Cybercriminals operate with complicated and difficult to intercept schemes, and in these situations to which all entities that have included artificial intelligence in their business are involuntarily exposed, internal audit is seen as a savior, due to the assurance role and independence of this department within an organisation. Our study focuses on the challenges faced by internal auditors while internal auditors face when integrating cybersecurity into their assignments and their chances of success. Through a careful literature review, we tried to summarize the added value that the internal audit department brings to the organisation in minimizing cyber risks. The results of our work materialized in a thematic framing of the research available to the general public so far in the Web of Science database, identifying three areas of interest: the role and updated competencies of internal auditors, risk minimization solutions developed following security breaches, and the factors leading to a quality cyber audit. This paper contributes to the literature, in addition to providing support to internal audit professionals, and aims to draw the attention of regulators to the lack of clear and up-to-date regulatory frameworks for the current context.

Literature review

Currently, most organisations store their information on IT infrastructures, from business partner details to financial data, leading to a reliance on virtual environments and thus increasing the vulnerability of companies to cybersecurity threats. In addition, the latest technological innovations, while offering multiple benefits, expose organisations to the risk of compromise of sensitive information. All this means that internal audit has to reconsider its mode of action and proactively engage in minimizing cybersecurity risks. In this context, the literature tries to cover as broad a scope as possible on the relationship between internal audit and cybersecurity.

Professionals in the field provide us with studies that trace the ways in which how internal auditing can help prevent data breaches; internal auditing should consider in its activity what cyber threats the company is facing, then it should propose the implementation of special programs for monitoring the company's digital behavior and develop a set of procedures for the use of cyberspace (Dutchak, et al., 2021). Moreover, some authors (Usman, et al., 2023) attempt to characterize internal auditors and assess their risk awareness, citing professional ethics, personality traits and rewards as influential factors in detecting cybersecurity issues. Similarly,(Jiang, 2024). statistically demonstrates that Statistically, auditors' rewards grow directly proportional to the company's exposure to attacks.

Also, to support internal auditors, researchers analyze the level of vulnerability of business sectors to risks associated with IT infrastructure, according to (Arcuri, et al., 2018), the financial sector is considered the most prone to cyber-attacks because banks are additionally tasked with defending their financial assets. Analogously, (Gulyas & Kiss, 2023), manage to identify the most common attack methods that cybercriminals use on financial institutions (social engineering and phishing, ransomware attacks) and propose customized solutions for this industry (blockchain technology implementation) which in their opinion should be treated differently from the others for the direct impact it has on the economy. Furthermore, (Kelton & Yang, 2025) find that if a company operating in a particular industry suffers a cyber attack, the whole industry is affected and the effects are usually reflected on reputation (Fotis, 2024). In addition to reputation, the directly affected company faces costs related to IT repairs, legal expenses or business continuity disruptions. We can even find in the literature a guide proposed by Sánchez-García which he calls CRAG, and which contains 7 steps and 28 activities, accompanied by practical applications and implementation examples, as well as aspects to be taken into account when writing the audit report. Ferreira et al. (2025) based on risk management theory, presents processes and tools used in internal audit to assess and continuously improve cyber controls such as interdepartmental cooperation, continuous audit, or real-time monitoring. Consistent with the other context of smart technology development, Chin et al. (2025) built a cybersecurity auditing model based on an autonomous agent using Large Language Model, which can identify breaches of security policies such as password violations.

After reviewing the scientific sources dealing with cybersecurity and internal audit, we can conclude that although the main issues are touched upon, the dynamics of the subject mean that they cannot cover all aspects in depth. This conclusion stems from the fact that cybersecurity is a constantly evolving field, influenced by technological innovations, and the speed with which cyber attackers act. Therefore, in the following, we will give a complete overview of all the topics discussed at the moment to see in which areas there is still work to be done and where the literature has reached saturation point.

Methodology

An important step in achieving the proposed goal is the choice of an appropriate research method, so in order to be able to present an overview of the involvement of internal auditors in reducing the threat of cybersecurity breaches, we considered it appropriate to use the SLR (systematic literature review) method, which consists of an analysis of all existing studies in a database on a given topic. In our case, we chose Web of Science as the documentation space, and the search expression was "cybersecurity in internal audit". As to how the relevant studies were selected, we have included all the details in Table 1.

Table 1. Selection criteria for studies included in the analysis

Source: own processing

As can be seen in the table above, the studies included in the analysis were conducted over a period of 9 years., Wwe also preferred to focus only on articles, 4 proceeding papers, 3 review articles and 2 early access were excluded. Our search was limited by open access to papers,; 14 studies dealing with the topic of adopting cybersecurity risks in annual internal audit plans, conducted in the years 2024 and 2025, were eliminated. Limiting open access influences the results, as more recent studies that certainly contain novel approaches could not be included because they could not be fully analyzed. Refinement of the database resulted in 16 available studies that met all criteria:, each study was subjected to critical interpretation and thematically categorized. Specifically, we read all articles in their entirety, identified the purpose and outcomes, first extracted them all into a table, then based on keywords identified common purposes, and then created three thematic categories: the role of internal auditors in ensuring cybersecurity, determinants of effective cyber auditing, and practical examples of breach or audit. Each individual study has been classified into one of the three categories and discussed, so that in the end, we can synthesize the current knowledge on integrating cyber risks into internal audit activities. The thematic coding process may include an inherent degree of subjectivity as it was done manually and not with the help of any computerized system. Based on the main findings of the 16 thoroughly analyzed studies, we constructed a self-assessment sheet on the need for integrating cybersecurity into internal audit processes addressed to the board of directors. The sheet is divided into 4 points of 5 questions each, the answer to which can be yes or no,. Iin case those who fill in the form feel the need to explain the answer, we have also created an explanation box. The structure and interpretation are drawn from the risk-based audit theory, according to which the audit should correspond to the organisation's exposure and the effectiveness of control measures. The first item looks at the degree of exposure,; the more yes answers, the more exposed the company is, criterion number 2 looks at the measures a company takes to protect itself from cyber risks, and the last two criteria look at the positioning of the internal audit function and the qualities that the internal auditor should possess. A majority of yes answers in these last three sections means that the entity has understood the current context and has adapted to the new requirements, and a negative answer means that the internal audit function urgently needs to be reconfigured. Briefly, after analyzing the 16 studies, based on the scopes, we managed a thematic grouping of the trends in the field, and based on the extracted results we developed a self-assessment sheet on the understanding of the need to adapt internal audit processes in the context of cybersecurity.

Results and discussion

The omnipresence of cyber risk and the major significant financial losses created by data privacy breaches have led to the expansion of the work of internal auditors who are charged with providing independent assurance on the quality of information systems, procedures and strategy to mitigate cyber threats. In addition, the increasing pressures generated by the contagion of damage to other organisations operating in the same environment are driving the audit department to mobilize to prevent threats. In order to gain a clearer understanding of the trends in research on this topic, we conducted a literature review and then grouped the relevant studies according to thematic areas, to be able to make comparisons between findings, but also To gain a clearer understanding of the trends in research on this topic, we conducted a literature review and grouped the relevant studies by thematic areas. This allowed us to make comparisons between findings and proposals.Table 1 below lists studies that focus on the roles that internal auditors play in maintaining strong cybersecurity, the changes that have occurred in the work of auditors, and how three-dimensional internal auditing models have evolved from compliance to proactive engagement.

Table 2. Studies based on identifiying the role of internal audit in cybersecurity

Source: own processing based on literature

The following table summarizes 6 studies indexed in the Web of Science database that emphasize the importance of internal auditing in maintaining cybersecurity in an organisation. The authors of these papers use mixed research methods, both conceptual analysis, interviews, and surveys orand questionnaires. All results have at their center the role of the internal auditor and the idea that traditional duties have become insufficient for today's user requirements. The common themes show that it is not enough for internal auditors to focus only on compliance with entity, state or other internationally mandated policies and procedures, but that they need to be actively involved in evaluating the organisation's strategies and to acquire technical skills. This means assessing password generation policies, how passwords are managed, whether antivirus applications are up to date and working, and if signs of a cyber-attack occur, how employees respond. In addition, they need to conduct cyber-attack simulations to assess the resilience of prevention plans and come up with recommendations. In short, today's internal auditors need to do more than just check what's already been done; they need to help prevent problems before they occur. If we were to look at when the first studies on the role of the internal auditor in preventing cyber risks originated, the first year of publication is 2018. Coupled with the fact that in the same year the General Data Protection Regulation was also implemented and interpreted through orh say that this research emerged as a response to coercive pressures that forced organisations to comply with these rules. With the implementation of this regulation, a number of new responsibilities have been placed on internal auditors, given that the subject of personal data is a sensitive topic that needs to be dealt with at the moment, the role of auditors is starting to tend towards a strategic partner.

After having identified all the research that is only on the role of internal auditors in maintaining cybersecurity, the next aspect addressed by specialists in the field is related to practical examples, which present with the help of case studies both audit models tested in organisations and data breaches. These papers have been grouped in Table 3 for easier visualization.

Table 3. Studies based on organisational measures and response models

Source: own processing based on literature

Examining the papers summarized above, we note the focus on situations that already exist in practice, ranging from evaluating cybersecurity audit models, to calculating financial losses from cyberattacks, to presenting methods of operating small and medium-sized businesses. Given that only three studies were included in this category, there is less emphasis on what already exists in practice. This disproportion indicates that the literature provides an overview but fails to identify implementation methods for varied operational environments. While the focus is on sophisticated cybersecurity auditing methods, it does not take into account the limited resources of SMEs and the fact that these methods can only be implemented by large enterprises. In addition, as regulations are not clear enough and internal auditors are new to cybersecurity auditing, there are few examples of models, and none are customized to business sectors. We therefore see a need for studies targeted at real areas of application and believe that we need to pay more attention to already known incidences in order to learn from them.

The third and broadest category comprises 8 papers that share the common goal of identifying factors that influence the quality of an internal cybersecurity audit. The details have been summarized in Table 4, and in the following we aim to extract from the table the elements that add enhance the value to the cyber audit.

Table 4. Factors Influencing the Effectiveness of Internal Audit in Ensuring Cybersecurity

Source: own processing based on literature

Upon further analysis of the information summarized in the table above, we conclude that several research studies highlight a gap between senior management's awareness of cyber risks and the actual level of integration of these risks into audit processes. Although boards of directors state that cybersecurity is a priority, they are not sufficiently engaged, and there is a lack of adequate communication between management and the audit department. Also, another factor influencing the integration of cybersecurity into audit is the lack of technical skills of auditors, which, contrary to expectations, is not given by certifications, as internal auditors who hold these certifications are not trained to assess IT systems, encryption, firewalls or responses to attacks. At the same time, we see that companies that have had at least one cyber-crimecybercrime are more attentive and more open to accepting the idea that internal auditors should also take on the issue of cybersecurity. These companies are also willing to offer more to internal audit professionals to be more vigilant in their work. Therefore, the determinants of effective internal cyber internal audit mentioned in the studies are: the level of involvement of senior management, the existence of communication between internal audit and IT departments, the level of rewards given to internal auditors and the skills of internal auditors.

In order forFor our study to have practical, not just theoretical, applicability, starting from the three thematic categories discussed by experts in the field: the role of the internal auditor in cybersecurity, organisational measures and response models as well as the determinants of an effective cybersecurity audit, we thought it would be relevant to develop a self-assessment tool to evaluate the degree of integration of cybersecurity in the internal audit process, a checklist type, with binary answers: yes or no, which we considered relevant to divide into 4 dimensions. The first dimension concerns how exposed the company is to risk, and the next three are themes identified in the literature. The questions were formulated by analysing the results and recommendations from each study, considering the challenges faced by companies, the construction of integration models, the elements breached during cyber attacks, and translating theoretical findings into practical applications. This self-assessment sheet will help organisations to see where they stand in relation to the guidelines, advices and models found in the literature.

Table 5. Self-Assessment sheet on the need to integrate cybersecurity into internal audit processes

Source: own processing

In setting the scores, we propose three appropriate levels for each dimension: low, medium, high, which are set according to the number of affirmative answers. We consider a low level when negative answers predominate, a medium level when the number of yes answers is 3, and a high level is equivalent to 4 or 5 yes answers. To interpret the per-set table, we will correlate the answers given for the first dimension with those for the other dimensions. According to these levels of each dimension, we logically interpreted the results, deriving 6 organisational profiles described in the following paragraphs:

Unexposed and unprepared organisation (0 positive answers at first dimension) Although their field of activity does not force them to protect themselves from cyber-attacks and they have not suffered any incidents, the lack of current exposure creates a false security, and in the current context, this profile is the most vulnerable to becoming the target of attackers if they do not invest in prevention measures and internal audit training.

Unexposed and Prepared Organisation (0 positive answers at first dimension). These companies are the most secure, although the risk is low, they have still chosen to protect themselves and involve internal audit in cybersecurity.

Exposed and unprepared organisation. (0-6 positive answers) - This type of entity is susceptible to cyber risks, lacking technical measures and internal audit involvement. In this case urgent decisions should be taken to integrate cybersecurity into the audit processes; the internal auditor should actively participate in the development of procedures and rules, should strengthen the relationship with the IT department in the shortest possible time and invest heavily in technical knowledge training.

Protected organisation but without governance: (7-11 positive answers). Entities that fall into in this category are exposed to cybersecurity risks, have integrated measures, but internal audit is not actively involved. Therefore, organisations at this stage need to consider integrating internal audit into cybersecurity, as the existence of measures does not guarantee their effectiveness. Although the fact that the IT department is in charge of risk prevention, they do not provide independent assurance but are subjective. Auditors may point out that risks are not properly assessed. Although not as urgent as in the first case, the reorganisation of the internal audit function needs to be done.

Exposed but aware organisation: (12-16 positive answers) For these organisations, a relationship between cybersecurity and internal audit is already starting to take shape, but it is still developing, it does not meet all the requirements and there is space for improvement. Internal auditors need to take their role more seriously, consolidate relations with the IT department, improve their security knowledge and continuously evolve a training plan.

Mature integrated organisation: (17-20 positive answers) The companies that are in this category have already integrated cybersecurity into their internal audit, trained auditors, well-developed measures and a high level of exposure. Internal auditors must continue to improve; procedures and controls require regular review and optimisation.

1. Conclusions

The present study aimed to analyze the integration of cybersecurity into the internal audit process through a systematic review of the literature. The first finding is related to the novelty of the topic; the relevant studies were published after 2017, and there are enough aspects not yet discussed. Starting from the 16 identified studies, in our research, we managed to compile the topics into three thematic categories, as we wanted to provide a more structured view of what it means to integrate cybersecurity into the internal audit process. Following this categorization, we could clearly see that the researchers' interests are focused on the reorganisation of the audit function, the skills needed by future professionals, and the financial impact that cyber criminals can cause to companies that neglect cybersecurity risk.

Based on the rankings we have developed a checklist with 20 questions to assess the level of integration of cybersecurity in the internal audit process. For its interpretation we resorted to the creation of 6 organisational profiles that help to self-assess the current status and to identify weaknesses that require intervention to strengthen the relationship between internal audit and cybersecurity.

Based on the rankings, we have created a checklist with 20 questions to evaluate the level of cybersecurity integration within the internal audit process. To interpret this, we developed six organisational profiles that assist in self-assessing the current state and identifying weaknesses that need addressing to enhance the relationship between internal audit and cybersecurity.

This study contributes to the literature by thematically structuring the research on internal audit and cybersecurity in three directions: role, measures, determinants that can be starting points for future analysis. On the application side, the self-assessment sheet and the 6 organisational profiles support organisations in understanding their own positioning and in implementing improvements in the relationship between internal audit and cybersecurity. In contrast to a simple checklist, the proposed tool has a comparative function as the questions are drawn from international literature reviews and organisations can benefit from an assessment against existing global trends and recommendations.

This research was constrained by open access to scholarly materials on the Web of Science platform, and since this study was conducted on the basis of based on critical thinking, we consider the risk of arbitrary categorization, as some research included in the analysis was on the borderline between one category and another.

After examining the existing topics, we found that the issue of cybersecurity in underdeveloped or developing countries is treated superficially,. Ffor example, in Romania, such a topic has not yet been addressed, therefore we propose as that future research directions to investigate the challenges faced by Eastern European countries. The factors that determine the effectiveness of a cyber audit should be studied individually and, last but not least, the need to update the regulatory frameworks should be emphasized. Additionally, to refine the proposed tool, future studies could focus on the practical application of the checklist and the comparison of profiles by business sectors.

REFERENCES

Damodaran, A. (2009). Valuing companies with intangible assets. Stern School of Business. https://pages.stern.nyu.edu/~adamodar/pdfiles/papers/intangibles.pdf

Gamayuni, R. R. (2015). The effect of intangible asset, financial performance and financial policies on the firm value. International Journal of Scientific & Technology Research, 4(1), 202-212. https://www.ijstr.org/final-print/jan2015/The-Effect-Of-Intangible-Asset-Financial-Performance-And-Financial-Policies-On-The-Firm-Value.pdf

Gopalan, R., Kadan, O., & Pevzner, M. (2012). Asset liquidity and stock liquidity. Journal of Financial and Quantitative Analysis, 47(2), 333-364. https://doi.org/10.1017/S0022109012000130

Gu, F., & Lev, B. (2011). Intangible assets: Measurement, drivers, and usefulness. In: G. Schiuma (Ed.), Managing knowledge assets and business value creation in organizations: Measures and dynamics (pp. 110-124). IGI Global. https://doi.org/10.4018/978-1-60960-071-6.ch007

Güleç, Ö. F. (2021). Value relevance of intangibles: A literature review. In: K. T. Çalıyurt (Ed.), Ethics and sustainability in accounting and finance (Vol. II, pp. 109-129). Springer Nature. https://doi.org/10.1007/978-981-15-1928-4_6

Ibrahim, M. M. (2023). The effect of accounting and market indicators on the firm value. International Journal of Research in Finance and Management, 6(2), 164-168. https://doi.org/10.33545/26175754.2023.v6.i2b.264

Keter, C. K. S., Cheboi, J. Y., Kosgei, D., & Chepsergon, A. K. (2023). Financial performance and firm value of listed companies: Financial performance measure ROA versus ROE. Journal of Business, Economics and Management Research Studies, 1(4), 1-11. https://doi.org/10.69897/jobemrs.v1i4.78

Kovalev, V. V. (2014). Financial analysis: Money management. Choice of investments. Reporting analysis. Finance and Statistics.

Lev, B. (2001). Intangibles: Management, measurement, and reporting. Rowman & Littlefield.

Lim, S. C., Macias, A. J., & Moeller, T. (2020). Intangible assets and capital structure. Journal of Banking & Finance, 118, 105873. https://doi.org/10.1016/j.jbankfin.2020.105873

Mackie, C. (Ed.). (2010). Intangible assets: Measuring and enhancing their contribution to corporate value and economic growth. National Academies Press. https://doi.org/10.17226/12745

Martins, M. M., & Lopes, I. T. (2016). Intellectual capital and profitability: A firm value approach in the European companies. Business: Theory and Practice, 17(3), 234-242. https://doi.org/10.3846/btp.2016.673

Medrado, F., Cella, G., Pereira, J. V., & Dantas, J. A. (2016). The relationship between the assets intangibility index and the market value of companies. Revista de Contabilidade e Organizações, 10(28), 32-44. https://doi.org/10.11606/rco.v10i28.119480

Milala, S. I., Ariffin, K. M., Kasim, R., Yassin, A. M., Ishak, M. H., & Kasim, N. (2021, August 2-5). Intangible asset a key driver for company’s performance: An overview. In: Proceedings of the 4th European International Conference on Industrial Engineering and Operations Management (pp. 2555-2565). IEOM Society International. https://ieomsociety.org/proceedings/2021rome/787.pdf

Molodchik, M., Fernández-Jardón, C., & Barajas, A. (2016). Intangible-driven performance: Company size matters. International Journal of Knowledge-Based Development, 7(3), 225-239. https://doi.org/10.1504/IJKBD.2016.078527

Perez, M. M., & Famá, R. (2015). Características estratégicas dos ativos intangíveis e o desempenho econômico da empresa. Unisanta Law and Social Science, 4(2), 107-123. https://ojs.unisanta.br/LSS/article/view/681/680

Pham, L. T. M., Van Vo, L., Le, H. T. T., & Le, D. V. (2018). Asset liquidity and firm innovation. International Review of Financial Analysis, 58, 225-234. https://doi.org/10.1016/j.irfa.2017.11.005

Qureshi, M. J., & Siddiqui, D. A. (2020). The effect of intangible assets on financial performance, financial policies, and market value of technology firms: a global comparative analysis. Asian Journal of Finance & Accounting, 12(1), 26-57. https://doi.org/10.5296/ajfa.v12i1.16655

Saunila, M., & Ukko, J. (2014). Intangible aspects of innovation capability in SMEs: Impacts of size and industry. Journal of Engineering and Technology Management, 33, 32-46. https://doi.org/10.1016/j.jengtecman.2014.02.002

Sen, M., & Oruc, E. (2008). Testing of pecking order theory in ISE (Istanbul stock exchange market). International Research Journal of Finance and Economics, 21(1), 19-26.

Setiadharma, S., & Machali, M. (2017). The effect of asset structure and firm size on firm value with capital structure as intervening variable. Journal of Business & Financial Affairs, 6(4), 1-5. https://doi.org/10.4172/2167-0234.1000298

Steenkamp, N., & Kashyap, V. (2010). Importance and contribution of intangible assets: SME managers' perceptions. Journal of intellectual capital, 11(3), 368-390. https://doi.org/10.1108/14691931011064590

Sullivan Jr., P. H., & Sullivan Sr., P. H. (2000). Valuing intangibles companies: An intellectual capital approach. Journal of Intellectual Capital, 1(4), 328-340. https://doi.org/10.1108/14691930010359234

Takano, H. (2023). Leverage ratio and asset intangibility: Effects on the cross-country and firm level (Bachelor's thesis). Department of Economics & Business.

Yallwe, A. H., & Buscemi, A. (2014). An era of intangible assets. Journal of Applied Finance and Banking, 4(5), 17-26. https://www.scienpress.com/Upload/JAFB/Vol%204_5_2.pdf

Bibliography

Arcuri, M. C., Brogi, M., & Gandolfi, G. (2018). The effect of cyber-attacks on stock returns. Corporate Ownership & Control, 15(2), 70-83.

Bakarich, K. M., & Baranek, D. (2020). Something phish-y is going on here: A teaching case on business email compromise. Current Issues in Auditing, 14(1), A1-A9.

Betti, N., & Sarens, G. (2021). Understanding the internal audit function in a digitalised business environment. Journal of Accounting & Organizational Change, 17(2), 197-216.

Bozkus Kahyaoglu, S., & Caliyurt, K. (2018). Cyber security assurance process from the internal audit perspective. Managerial auditing journal, 33(4), 360-376.

Calvin, C., Eulerich, M., & Holt, M. (2025). Characteristics of cybersecurity and IT involvement by the IA activity. International Journal of Accounting Information Systems, 56, 100726.

Chin, J. H., Zhang, P., Cheong, Y. X., & Pan, J. (2025). Automating Security Audit Using Large Language Model based Agent: An Exploration Experiment. ArXiv.org. https://arxiv.org/abs/2505.10732

Dutchak, R., Kondratiuk, O., Rudenko, O., Shaikan, A., & Shubenko, E. (2021). Internal Audit of Cybercrimes in Information Technologies of Enterprises Accounting. In SHS Web of Conferences (Vol. 100, p. 01006). EDP Sciences.

Elmaasrawy, H. E., & Tawfik, O. I. (2025). Impact of the assertive and advisory role of internal auditing on proactive measures to enhance cybersecurity: Evidence from GCC. Journal of Science and Technology Policy Management, 16(1), 68-93.

Ferreira, L. V. A., Alves, C. A. de M., Peotta de Melo, L., & Nunes, R. R. (2025b). Internal Audit Strategies for Assessing Cybersecurity Controls in the Brazilian Financial Institutions. Applied Sciences, 15(10), 5715. https://doi.org/10.3390/app15105715

Fotis, F. (2024). Economic Impact of Cyber Attacks and Effective Cyber Risk Management Strategies: A light literature review and case study analysis. Procedia Computer Science, 251, 471-478.

Gulyas, O., & Kiss, G. (2023). Impact of cyber-attacks on the financial institutions. Procedia Computer Science, 219, 84-90.

Guohong, Z., Zhongwei, X., Feng, H., & Zhongyi, X. (2025). The audit committee’s IT expertise and its impact on the disclosure of cybersecurity risk. Research in International Business and Finance, 73, 102542.

Héroux, S., & Fortin, A. (2024). How the three lines of defense can contribute to public firms’ cybersecurity effectiveness. International Journal of Disclosure and Governance, 1-20.

IBM. (2024). Cost of a data breach report 2024. IBM. https://www.ibm.com/reports/data-breach .

Islam, M. S., Farah, N., & Stafford, T. F. (2018). Factors associated with security/cybersecurity audit by internal audit function: An international study. Managerial Auditing Journal, 33(4), 377-409.

Jiang, W. (2024). Cybersecurity risk and audit pricing—A machine learning-Based Analysis. Journal of Information Systems, 38(1), 91-117.

Kelton, A. S., & Yang, Y. W. (2025). The Role of Internal Controls in Reducing Cybersecurity Contagion Effects. Current Issues in Auditing, 1-9.

Le, T. D., Le-Dinh, T., & Uwizeyemungu, S. (2024). Search engine optimization poisoning: A cybersecurity threat analysis and mitigation strategies for small and medium-sized enterprises. Technology in Society, 76, 102470.

Masoud, N., & Al-Utaibi, G. (2022). The determinants of cybersecurity risk disclosure in firms’ financial reporting: Empirical evidence. Research in Economics, 76(2), 131-140.

Sabillon, R. (2018). A practical model to perform comprehensive cybersecurity audits. Enfoque UTE, 9(1), 127-137.

Sánchez-García, I. D., Gilabert, T. S. F., & Calvo-Manzano, J. A. (2023, November). CRAG: A Guideline to Perform a Cybersecurity Risk Audits. In International Congress of Telematics and Computing (pp. 517-532). Cham: Springer Nature Switzerland.

Slapničar, S., Axelsen, M., Bongiovanni, I., & Stockdale, D. (2023). A pathway model to five lines of accountability in cybersecurity governance. International journal of accounting information systems, 51, 100642.

Slapničar, S., Vuko, T., Čular, M., & Drašček, M. (2022). Effectiveness of cybersecurity audit. International Journal of Accounting Information Systems, 44, 100548.

Stafford, T., Deitz, G., & Li, Y. (2018). The role of internal audit and user training in information security policy compliance. Managerial Auditing Journal, 33(4), 410-424.

Usman, A., Ahmad, A. C., & Abdulmalik, S. O. (2023). The role of internal auditors characteristics in cybersecurity risk assessment in financial-based business organisations: A conceptual review. International Journal of Professional Business Review: Int. J. Prof. Bus. Rev., 8(8), 32.

Vuko, T., Slapničar, S., Čular, M., & Drašček, M. (2025). Key drivers of cybersecurity audit effectiveness: A neo‐institutional perspective. International journal of auditing, 29(1), 188-206.

Zhou, F., & Huang, J. (2024). Cybersecurity data breaches and internal control. International Review of Financial Analysis, 93, 103174.