<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.2 20190208//EN" "https://jats.nlm.nih.gov/publishing/1.2/JATS-journalpublishing1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta><journal-id journal-id-type="publisher-id">ES</journal-id><issn pub-type="epub">2587-4187</issn><publisher><publisher-name>National Institute for Economic Research</publisher-name></publisher></journal-meta><article-meta>
      <title-group>
        <article-title>DETERMINATING THE LEVEL OF INTEGRATING CIBERSECURITY IN INTERNAL AUDIT: AN SELF-ASSESSMENT INSTRUMENT STEMMING FROM A SYSTEMATIC LITERATURE REVIEW</article-title>
      </title-group>
      <contrib-group content-type="author">
        <contrib contrib-type="person">
          <name>
            <surname>Cernovschi</surname>
            <given-names>Cristina-Raluca</given-names>
          </name>
          <email>cristina.cernovschi09@gmail.com</email>
          <xref ref-type="aff" rid="aff-1"/>
        </contrib>
        <contrib contrib-type="person">
          <name>
            <surname>Ciubotariu</surname>
            <given-names>Marius-Sorin</given-names>
          </name>
          <email>marius.ciubotariu@usm.ro</email>
          <xref ref-type="aff" rid="aff-2"/>
        </contrib>
        <contrib contrib-type="person">
          <name>
            <surname>Mihaila</surname>
            <given-names>Svetlana</given-names>
          </name>
          <email>svetlana.mihaila@ase.md</email>
          <xref ref-type="aff" rid="aff-3"/>
        </contrib>
      </contrib-group>
      <aff id="aff-1">
        <institution>PhD students,  Ștefan cel Mare University of Suceava, România</institution>
        <country>Romania</country>
      </aff>
      <aff id="aff-2">
        <institution>PhD in economics, Ștefan cel Mare University of Suceava, România</institution>
        <country>Romania</country>
      </aff>
      <aff id="aff-3">
        <institution>PhD in economics, Academia de Studii Economice din Moldova, Republica Moldova</institution>
        <country>Moldova, Republic of</country>
      </aff>
      
    <pub-date pub-type="epub"><day>08</day><month>08</month><year>2025</year><volume/></pub-date><history><date type="received" iso-8601-date="2025-08-08"><day>08</day><month>08</month><year>2025</year></date><date type="published" iso-8601-date="2025-08-08"><day>08</day><month>08</month><year>2025</year></date></history></article-meta>
  </front>
  <body>
    <p>
      <bold>INTEGRATING CYBERSECURITY INTO INTERNAL AUDIT THROUGH A SELF-ASSESSMENT TOOL BASED ON A SYSTEMATIC LITERATURE REVIEW</bold>
    </p>
    <p>
      <bold>CERNOVSCHI Cristina-Raluca</bold>
    </p>
    <p>Stefan cel Mare University of Suceava, România</p>
    <p>Email: cristina.cernovschi09@gmail.com</p>
    <p>
      <bold>CIUBOTARIU Marius-Sorin</bold>
    </p>
    <p>Stefan cel Mare University of Suceava, România</p>
    <p>Email: marius.ciubotariu@usm.ro</p>
    <p>
      <bold>MIHAILA Svetlana</bold>
    </p>
    <p>Academy of Economic Studies of Moldova</p>
    <p>Email: svetlana.mihaila@ase.md</p>
    <p>
      <bold>.</bold>
    </p>
    <p><bold>Keywords: </bold>internal audit, cybersecurity, innovative technology, assurance, cyber risks</p>
    <p>
      <bold>Introduction</bold>
    </p>
    <p>With the increasing assimilation of manual processes by intelligent technologies, cybersecurity is becoming an emerging topic among internal audit committees. The main risk factor of cyber-attacks is the misappropriation of a company's assets or the manipulation of data on a computer through the illegal use of hacking knowledge () and differs from other illegalities in that it takes place in cyberspace, not requiring the offender to move physically to the scene of the action. According to a report by  analyzing the financial impact of data breaches globally, in 2024, cyberattacks cost companies an estimated $4.88 million, up 10 per cent from the previous year, and on top of that this was the highest since the pandemic. Cybercriminals operate with complicated and difficult to intercept schemes, and in these situations to which all entities that have included artificial intelligence in their business are exposed, internal audit is seen as a savior, due to the assurance role and independence of this department within an organisation. Our study focuses on the challenges  integrating cybersecurity into their assignments and their chances of success. Through a careful literature review, we tried to summarize the added value that the internal audit department brings to the organisation in minimizing cyber risks. The results of our work materialized in a thematic framing of the research available to the general public so far in the Web of Science database, identifying three areas of interest: the role and updated competencies of internal auditors, risk minimization solutions developed following security breaches, and the factors leading to a quality cyber audit. This paper contributes to the literature, providing support to internal audit professionals, and aims to draw the attention of regulators to the lack of clear and up-to-date regulatory frameworks for the current context.</p>
    <p>
      <bold>Literatur</bold>
      <bold>e</bold>
      <bold> review</bold>
    </p>
    <p>Currently, most organisations store their information on IT infrastructures, from business partner details to financial data, leading to a reliance on virtual environments and thus increasing the vulnerability of companies to cybersecurity threats. In addition, the latest technological innovations, while offering multiple benefits, expose organisations to the risk of compromise of sensitive information. All this means that internal audit has to reconsider its mode of action and proactively engage in minimizing cybersecurity risks. In this context, the literature tries to cover as broad a scope as possible on the relationship between internal audit and cybersecurity. </p>
    <p>Professionals in the field provide us with studies that trace  internal auditing can help prevent data breaches; internal auditing should consider in its activity what cyber threats the company is facing, then it should propose the implementation of special programs for monitoring the company's digital behavior and develop a set of procedures for the use of cyberspace . Moreover, some authors () attempt to characterize internal auditors and assess their risk awareness, citing professional ethics, personality traits and rewards as influential factors in detecting cybersecurity issues. Similarly,<ext-link xlink:href="https://publications.aaahq.org/jis/article-abstract/38/1/91/12149/Cybersecurity-Risk-and-Audit-Pricing-A-Machine?redirectedFrom=fulltext">(Jiang,</ext-link><ext-link xlink:href="https://publications.aaahq.org/jis/article-abstract/38/1/91/12149/Cybersecurity-Risk-and-Audit-Pricing-A-Machine?redirectedFrom=fulltext"> </ext-link><ext-link xlink:href="https://publications.aaahq.org/jis/article-abstract/38/1/91/12149/Cybersecurity-Risk-and-Audit-Pricing-A-Machine?redirectedFrom=fulltext">2024).</ext-link>  auditors' rewards grow directly proportional to the company's exposure to attacks.</p>
    <p>Also, to support internal auditors, researchers analyze the level of vulnerability of business sectors to risks associated with IT infrastructure, according to , the financial sector is considered the most prone to cyber-attacks because banks are additionally tasked with defending their financial assets. Analogously, (), manage to identify the most common attack methods that cybercriminals use on financial institutions (social engineering and phishing, ransomware attacks) and propose customized solutions for this industry (blockchain technology implementation) which in their opinion should be treated differently from the others for the direct impact it has on the economy. Furthermore, () find that if a company operating in a particular industry suffers a cyber attack, the whole industry is affected and the effects are usually reflected on reputation  . In addition to reputation, the directly affected company faces costs related to IT repairs, legal expenses or business continuity disruptions. We can even find in the literature a guide proposed by Sánchez-García which he calls CRAG, and which contains 7 steps and 28 activities, accompanied by practical applications and implementation examples, as well as aspects to be taken into account when writing the audit report.  based on risk management theory, presents processes and tools used in internal audit to assess and continuously improve cyber controls such as interdepartmental cooperation, continuous audit, or real-time monitoring. Consistent with the other context of smart technology development, <ext-link xlink:href="https://arxiv.org/abs/2505.10732">Chin et al. (2025)</ext-link> built a cybersecurity auditing model based on an autonomous agent using Large Language Model, which can identify breaches of security policies such as password violations.</p>
    <p>After reviewing the scientific sources dealing with cybersecurity and internal audit, we can conclude that although the main issues are touched upon, the dynamics of the subject mean that they cannot cover all aspects in depth. This conclusion stems from the fact that cybersecurity is a constantly evolving field, influenced by technological innovations, and the speed with which cyber attackers act. Therefore, in the following, we will give a complete overview of all the topics discussed at the moment to see in which areas there is still work to be done and where the literature has reached saturation point.</p>
    <p>
      <bold>Met</bold>
      <bold>h</bold>
      <bold>odolog</bold>
      <bold>y</bold>
    </p>
    <p>An important step in achieving the proposed goal is the choice of an appropriate research method, so to be able to present an overview of the involvement of internal auditors in reducing the threat of cybersecurity breaches, we considered it appropriate to use the SLR (systematic literature review) method, which consists of an analysis of all existing studies in a database on a given topic. In our case, we chose Web of Science as the documentation space and the search expression was "cybersecurity in internal audit". As to how the relevant studies were selected, we have included all the details in Table 1.</p>
    <table-wrap id="tbl1">
      <label>Table </label>
      <caption>
        <title>1. Selection criteria for studies included in the analysis</title>
      </caption>
      <table>
        <tr>
          <td>Database</td>
          <td>Web of science</td>
        </tr>
        <tr>
          <td>Query </td>
          <td>Cybersecurity in Internal Audit</td>
        </tr>
        <tr>
          <td>Time period</td>
          <td>2017-2025</td>
        </tr>
        <tr>
          <td>Initial result</td>
          <td>37 studies </td>
        </tr>
        <tr>
          <td>Exclusion criteria:</td>
          <td/>
        </tr>
        <tr>
          <td>- Language</td>
          <td>English=&gt; 37 studies</td>
        </tr>
        <tr>
          <td>- Document type</td>
          <td>Article =&gt; 30 studies</td>
        </tr>
        <tr>
          <td>- Availability</td>
          <td>OpenAccess =&gt; 16 studies available</td>
        </tr>
        <tr>
          <td>Final result</td>
          <td>16 studies analysed</td>
        </tr>
      </table>
    </table-wrap>
    <p>
      <italic>Source: own processing </italic>
    </p>
    <p>As can be seen in the table above, the studies included in the analysis were conducted over a period of 9 years e also preferred to focus only on articles, 4 proceeding papers, 3 review articles and 2 early access were excluded. Our search was limited by open access to papers 14 studies dealing with the topic of adopting cybersecurity risks in annual internal audit plans, conducted in the years 2024 and 2025, were eliminated. Limiting open access influences the results as more recent studies that certainly contain novel approaches could not be included because they could not be fully analyzed. Refinement of the database resulted in 16 available studies that met all criteria each study was subjected to critical interpretation and thematically categorized. Specifically, we read all articles in their entirety, identified the purpose and outcomes, first extracted them all into a table, then based on keywords identified common purposes, and then created three thematic categories: the role of internal auditors in ensuring cybersecurity, determinants of effective cyber auditing, and practical examples of breach or audit. Each individual study has been classified into one of the three categories and discussed, so that in the end we can synthesize the current knowledge on integrating cyber risks into internal audit activities. The thematic coding process may include an inherent degree of subjectivity as it was done manually and not with the help of any computerized system. Based on the main findings of the 16 thoroughly analyzed studies, we constructed a self-assessment sheet on the need for integrating cybersecurity into internal audit processes addressed to the board of directors. The sheet is divided into 4 points of 5 questions each, the answer to which can be yes or no n case those who fill in the form feel the need to explain the answer, we have also created an explanation box. The structure and interpretation are drawn from the risk-based audit theory according to which the audit should correspond to the organisation's exposure and the effectiveness of control measures. The first item looks at the degree of exposure the more yes answers, the more exposed the company is, criterion number 2 looks at the measures a company takes to protect itself from cyber risks, and the last two criteria look at the positioning of the internal audit function and the qualities that the internal auditor should possess. A majority of yes answers in these last three sections means that the entity has understood the current context and has adapted to the new requirements, and a negative answer means that the internal audit function urgently needs to be reconfigured. Briefly, after analyzing the 16 studies, based on the scopes, we managed a thematic grouping of the trends in the field, and based on the extracted results we developed a self-assessment sheet on the understanding of the need to adapt internal audit processes in the context of cybersecurity.</p>
    <p>
      <bold>Re</bold>
      <bold>s</bold>
      <bold>ult</bold>
      <bold>s and discu</bold>
      <bold>ss</bold>
      <bold>ion</bold>
    </p>
    <p>The omnipresence of cyber risk and the financial losses created by data privacy breaches have led to the expansion of the work of internal auditors who are charged with providing independent assurance on the quality of information systems, procedures and strategy to mitigate cyber threats. In addition, the increasing pressures generated by the contagion of damage to other organisations operating in the same environment are driving the audit department to mobilize to prevent threats.  proposals.Table 1 below lists studies that focus on the roles that internal auditors play in maintaining strong cybersecurity, the changes that have occurred in the work of auditors, and how three-dimensional internal auditing models have evolved from compliance to proactive engagement.</p>
    <table-wrap id="tbl2">
      <label>Table </label>
      <caption>
        <title>2. Studies based on identifiying the role of internal audit in cybersecurity</title>
      </caption>
      <table>
        <tr>
          <td>
            <bold>Author </bold>
          </td>
          <td>
            <bold> Title </bold>
          </td>
          <td>
            <bold>Aim, Objectives </bold>
          </td>
          <td>
            <bold>Results</bold>
          </td>
        </tr>
        <tr>
          <td>(2018)</td>
          <td>Cyber security assurance processfrom the internal audit perspective</td>
          <td>The study examines the issues, vulnerabilities and limitations of the internal audit function in ensuring cybersecurity</td>
          <td>The authors note that the role of auditors should be expanded from support to strategic advice, they should provide assurance not only on compliance but also on the methods adopted to manage cybersecurity risks, and cybersecurity should be included in annual audit plans</td>
        </tr>
        <tr>
          <td>(2018)</td>
          <td>The role of internal audit and usertraining in information securitypolicy compliance</td>
          <td>The study focuses on the role of internal auditors in identifying non-compliance with information security policies, focused on the organisation's human resources.</td>
          <td>Research has shown that improving a company's cybersecurity depends on internal audits that identify both non-compliance in the application of procedures and the underlying reasons for breaches.</td>
        </tr>
        <tr>
          <td>(2021)</td>
          <td>Understanding the internal auditfunction in a digitalisedbusiness environment</td>
          <td>The study investigates the changes that have occurred in the internal audit function with the digitization of business</td>
          <td>The researchers emphasize the need for increased attention to cybersecurity risks on the part of internal auditors and the need to hone digital literacy. They also emphasize the advisory role and changing the way internal auditors work.</td>
        </tr>
        <tr>
          <td> (2025)</td>
          <td>Impact of the assertive and advisory role of internal auditing on proactive measures to enhance cybersecurity: evidence from GCC</td>
          <td>This paper aims to determine the impact that the internal auditor's assurance and advisory role has on improving cybersecurity</td>
          <td>The results of the study show that the proactive organisational, human and technical measures taken to improve cybersecurity are positively influenced by the assurance and advisory role of internal audit, while the traditional role influences only technical measures.</td>
        </tr>
        <tr>
          <td>
            <ext-link xlink:href="https://www.sciencedirect.com/science/article/pii/S0275531924003350?casa_token=MfxwN8pVfXwAAAAA:oxnO47vIFFKdqDrAINEHM5c15v9QPxnB1LHt53s37W8sJfOTDYvaCaWl036KZFl1BeYJjuJmFsTa">Guohong, Z., Zhongwei, X., Feng, H., &amp; Zhongyi, X. (2025)</ext-link>
          </td>
          <td>The audit committee's IT expertise and its impact on the disclosure of cybersecurity risk</td>
          <td>The research aims to assess how the internal auditor's IT skills influence the extent to which internal auditors identify and report cybersecurity risks</td>
          <td>The findings of the study state that internal audit with IT skills report cybersecurity risks more often, and for entities with weak corporate governance and weak internal controls, the influence of internal auditors with IT skills is greater</td>
        </tr>
      </table>
    </table-wrap>
    <p>
      <italic>Source: own processing based on literature</italic>
    </p>
    <p>The following table summarizes 6 studies indexed in the Web of Science database that emphasize the importance of internal auditing in maintaining cybersecurity in an organisation. The authors of these papers use mixed research methods, both conceptual analysis, interviews surveys  questionnaires. All results have at their center the role of the internal auditor and the idea that traditional duties have become insufficient for today's user requirements. The common themes show that it is not enough for internal auditors to focus only on compliance with entity, state or other internationally mandated policies and procedures, but that they need to be actively involved in evaluating the organisation's strategies and acquire technical skills. This means assessing password generation policies, how passwords are managed, whether antivirus applications are up to date and working, and if signs of a cyber-attack occur, how employees respond. In addition, they need to conduct cyber-attack simulations to assess the resilience of prevention plans and come up with recommendations. In short, today's internal auditors need to do more than just check what's already been done; they need to help prevent problems before they occur.  If we were to look at when the first studies on the role of the internal auditor in preventing cyber risks originated, the first year of publication is 2018. Coupled with the fact that in the same year the General Data Protection Regulation was also implemented and interpreted through or say that this research emerged as a response to coercive pressures that forced organisations to comply with these rules. With the implementation of this regulation, a number of new responsibilities have been placed on internal auditors, given that the subject of personal data is a sensitive topic that needs to be dealt with at the moment, the role of auditors is starting to tend towards strategic partner.</p>
    <p>After having identified all the research that is only on the role of internal auditors in maintaining cybersecurity, the next aspect addressed by specialists in the field is related to practical examples, which present with the help of case studies both audit models tested in organisations and data breaches. These papers have been grouped in Table 3 for easier visualization.</p>
    <table-wrap id="tbl3">
      <label>Table </label>
      <caption>
        <title>3. Studies based on organisational measures and response models</title>
      </caption>
      <table>
        <tr>
          <td>
            <bold>Author </bold>
          </td>
          <td>
            <bold> Title </bold>
          </td>
          <td>
            <bold>Aim, Objectives </bold>
          </td>
          <td>
            <bold>Results</bold>
          </td>
        </tr>
        <tr>
          <td>
            <ext-link xlink:href="http://scielo.senescyt.gob.ec/scielo.php?pid=S1390-65422018000100127&amp;script=sci_arttext&amp;tlng=en">Sabillon, R. (2018)</ext-link>
          </td>
          <td>A Practical Model to Perform Comprehensive Cybersecurity Audits</td>
          <td>This paper presents a cybersecurity audit model that can be used by internal auditors regardless of the type or size of the organisation.</td>
          <td>The results materialize in the development of a Cybersecurity Security Audit Model (CSAM). This CSAM has 18 domains; domain 1 is specific to national cybersecurity and domains 2-18 can be implemented in any organisation.</td>
        </tr>
        <tr>
          <td>
            <ext-link xlink:href="https://publications.aaahq.org/cia/article/14/1/A1/7039/Something-Phish-y-is-Going-On-Here-A-Teaching-Case">Bakarich, K. M., &amp; Baranek, D. (2020)</ext-link>
          </td>
          <td>Something Phish-y is Going On Here: A Teaching Case on Business Email Compromise</td>
          <td>This study aims to draw attention to the need to include cybersecurity risks in the audit plan by illustrating a real case</td>
          <td>The authors draw attention to the large financial losses that a cyber-attack has caused due to the lack in implementing internal controls and correlate this problem with the deficiencies discovered in company financial reporting</td>
        </tr>
        <tr>
          <td>(2024)</td>
          <td>Search engine optimization poisoning: A cybersecurity threat analysis and mitigation strategies for SMEs</td>
          <td>The research addresses the vulnerability of SMEs to cyber attacks and proposes solutions to mitigate the risks in relation to the resources available to them.</td>
          <td>The results of the study emphasize the need to adopt an organisational culture based on cyber-risk awareness and the need for cybersecurity audits to combat cyber-attacks.</td>
        </tr>
      </table>
    </table-wrap>
    <p>
      <italic>Source: own processing based on literature</italic>
    </p>
    <p>Examining the papers summarized above, we note the focus on situations that already exist in practice, ranging from evaluating cybersecurity audit models, to calculating financial losses from cyberattacks, to presenting methods of operating small and medium-sized businesses. Given that only three studies were included in this category, there is less emphasis on what already exists in practice. This disproportion indicates that the literature provides an overview but fails to identify implementation methods for varied operational environments. While the focus is on sophisticated cybersecurity auditing methods, it does not take into account the limited resources of SMEs and the fact that these methods can only be implemented by large enterprises. In addition, as regulations are not clear enough and internal auditors are new to cybersecurity auditing, there are few examples of models and none are customized to business sectors. We therefore see a need for studies targeted at real areas of application and believe that we need to pay more attention to already known incidences in order to learn from them.</p>
    <p>The third and broadest category comprises 8 papers that share the common goal of identifying factors that influence the quality of an internal cybersecurity audit. The details have been summarized in Table 4, and in the following we aim to extract from the table the elements that  value to the cyber audit.</p>
    <table-wrap id="tbl4">
      <label>Table </label>
      <caption>
        <title>4. Factors Influencing the Effectiveness of Internal Audit in Ensuring Cybersecurity</title>
      </caption>
      <table>
        <tr>
          <td>
            <bold>Author</bold>
          </td>
          <td>
            <bold>Title</bold>
          </td>
          <td>
            <bold>Aim, Objectives</bold>
          </td>
          <td>
            <bold>Results</bold>
          </td>
        </tr>
        <tr>
          <td>
            <ext-link xlink:href="https://www.emerald.com/insight/content/doi/10.1108/maj-07-2017-1595/full/html">Islam, M.S., Farah, N. and Stafford, T.F(2018)</ext-link>
          </td>
          <td>Factors associated with security/cybersecurity audit by internal audit function</td>
          <td>This study aims to see whether certain characteristics of the audit committee and firm management are positively associated with cybersecurity risk reduction.</td>
          <td>The authors found that the degree of involvement of internal auditors determines an effective security audit, the active presence of the Board of Directors helps internal audit in identifying cybersecurity risks, and additional certifications do not increase the effectiveness of cybersecurity audit.</td>
        </tr>
        <tr>
          <td>(2022).</td>
          <td>Effectiveness of cybersecurity audit</td>
          <td>The purpose of this paper is to measure the effectiveness of internal cybersecurity auditing in terms of several determinants.</td>
          <td>The results of the research materialize in a Cybersecurity Audit Index composed of three dimensions: planning, conducting the audit activity, and reporting; the index scores vary between companies,  positively associated with the quality of risk management, and do not significantly correlate with reducing the likelihood of a cyber attack.</td>
        </tr>
        <tr>
          <td>
            <ext-link xlink:href="https://www.sciencedirect.com/science/article/pii/S1090944322000163?casa_token=m1okan1XIowAAAAA:jOJNnLDX6mYHNVAEXgMhT8nE6rATiKUEqGVPKUCbI0_dfGzoBvTWTcX2BT_p_deKyfxIeHkyBc-V"/>
            <ext-link xlink:href="https://www.sciencedirect.com/science/article/pii/S1090944322000163?casa_token=m1okan1XIowAAAAA:jOJNnLDX6mYHNVAEXgMhT8nE6rATiKUEqGVPKUCbI0_dfGzoBvTWTcX2BT_p_deKyfxIeHkyBc-V">Masoud</ext-link>
            <ext-link xlink:href="https://www.sciencedirect.com/science/article/pii/S1090944322000163?casa_token=m1okan1XIowAAAAA:jOJNnLDX6mYHNVAEXgMhT8nE6rATiKUEqGVPKUCbI0_dfGzoBvTWTcX2BT_p_deKyfxIeHkyBc-V"/>
            <ext-link xlink:href="https://www.sciencedirect.com/science/article/pii/S1090944322000163?casa_token=m1okan1XIowAAAAA:jOJNnLDX6mYHNVAEXgMhT8nE6rATiKUEqGVPKUCbI0_dfGzoBvTWTcX2BT_p_deKyfxIeHkyBc-V">, N., &amp; Al-Utaibi, G. (2022)</ext-link>
          </td>
          <td>The determinants of cybersecurity risk disclosure in firms' financial reporting: Empirical evidence</td>
          <td>The research aims to analyze the relationship between reporting deficiencies and the degree of disclosure of cybersecurity risks</td>
          <td>The study results show that organisations that have suffered cyber-attacks increase the quality of their financial reporting, and auditors intensify the audit process by focusing on information breach risks</td>
        </tr>
        <tr>
          <td>
            <ext-link xlink:href="https://www.sciencedirect.com/science/article/pii/S1467089523000349">Slapničar, S., Axelsen, M., Bongiovanni, I., &amp; Stockdale, D. (2023)</ext-link>
          </td>
          <td>A pathway model to five lines of accountability in cybersecurity governance</td>
          <td>This paper examines the influence of the relationship between management and internal audit in ensuring cybersecurity</td>
          <td>The study argues that the role of internal auditors is under-emphasized in ensuring cybersecurity in organisations. The researchers  that employees should be more involved and communicate with the internal audit department so that the latter can include a cybersecurity audit in its plan.</td>
        </tr>
        <tr>
          <td>
            <ext-link xlink:href="https://www.sciencedirect.com/science/article/pii/S1057521924001066?casa_token=VRnOzfFcuw0AAAAA:BNZwQ5F9peKM633dFkuIXdzk058p558b1kENgx2yYcaPS4mJSpteDS04IHIJmGiqskB0UmBrI4bP">Zhou, F., &amp; Huang, J. (2024)</ext-link>
          </td>
          <td>Cybersecurity data breaches and internal control</td>
          <td>The purpose of the research is to analyze how organisations that have experienced cybersecurity incidents respond through the lens of internal control.</td>
          <td>The researchers find that management change is positively correlated with improved internal controls based on preventing cyber-attacks, and usually after an organisation faces such a problem it tends to improve its policies to avoid a recurrence.</td>
        </tr>
        <tr>
          <td>(2024)</td>
          <td>How the three lines of can contribute to public firms' cybersecurity effectiveness</td>
          <td>The paper focuses on how public entities manage cybersecurity issues with an emphasis on the three lines of </td>
          <td>The results of the study emphasize the need for collaboration between internal audit and IT departments to strengthen the data security system as well as the fact that effective internal audit alone does not eliminate problems, but that each line of defene must be actively involved.</td>
        </tr>
        <tr>
          <td>(2025)</td>
          <td>Characteristics of cybersecurity and IT involvement by the IA activity</td>
          <td>The study tracks the level of involvement of internal audit in cybersecurity assurance activities</td>
          <td>The study argues that the role of internal auditors is under-emphasized in ensuring cybersecurity in organisations. Furthermore, the researchers believe that managers and employees should be more involved and communicate with the internal audit department so that the latter can include a cybersecurity audit in its plan.</td>
        </tr>
        <tr>
          <td>
            <ext-link xlink:href="https://onlinelibrary.wiley.com/doi/full/10.1111/ijau.12365">Vuko, T., Slapničar, S., Čular, M., &amp; Drašček, M. (2025)</ext-link>
          </td>
          <td>Key drivers of cybersecurity audit effectiveness: A neo-institutional perspective</td>
          <td>The research analyzes how coercive forces, normative forces and mimetic forces contribute to cybersecurity assurance</td>
          <td>The authors emphasize that cybersecurity is ensured by the training of internal auditors and the support of the board of directors, and is not influenced by international regulations and the outsourcing of IT audit services.</td>
        </tr>
      </table>
    </table-wrap>
    <p>
      <italic>Source: own processing based on literature</italic>
    </p>
    <p>Upon further analysis of the information summarized in the table above, we conclude that several research studies highlight a gap between senior management's awareness of cyber risks and the actual level of integration of these risks into audit processes. Although boards of directors state that cybersecurity is a priority, they are not sufficiently engaged and there is a lack of adequate communication between management and the audit department. Also, another factor influencing the integration of cybersecurity into audit is the lack of technical skills of auditors, which contrary to expectations, is not given by certifications, as internal auditors who hold these certifications are not trained to assess IT systems, encryption, firewalls or responses to attacks. At the same time, we see that companies that have had at least one  are more attentive and more open to accepting the idea that internal auditors should also take on the issue of cybersecurity. These companies are also willing to offer more to internal audit professionals to be more vigilant in their work. Therefore, the determinants of effective internal cyber internal audit mentioned in the studies are: the level of involvement of senior management, the existence of communication between internal audit and IT departments, the level of rewards given to internal auditors and the skills of internal auditors.</p>
    <p> our study to have practical, not just theoretical, applicability, starting from the three thematic categories discussed by experts in the field: the role of the internal auditor in cybersecurity, organisational measures and response models as well as the determinants of an effective cybersecurity audit, we thought it would be relevant to develop a self-assessment tool to evaluate the degree of integration of cybersecurity in the internal audit process, a checklist type, with binary answers: yes or no, which we considered relevant to divide into 4 dimensions. The first dimension concerns how exposed the company is to risk, and the next three are themes identified in the literature. The questions were formulated by analysing the results and recommendations from each study, considering the challenges faced by companies, the construction of integration models, the elements breached during cyber attacks, and translating theoretical findings into practical applications. This self-assessment sheet will help organisations to see where they stand in relation to the guidelines, advices and models found in the literature.</p>
    <table-wrap id="tbl5">
      <label>Table </label>
      <caption>
        <title>5. Self-Assessment sheet on the need to integrate cybersecurity into internal audit processes</title>
      </caption>
      <table>
        <tr>
          <td>
            <bold>Nr.</bold>
          </td>
          <td>
            <bold>Assessment criteria</bold>
          </td>
          <td>
            <bold>YES</bold>
          </td>
          <td>
            <bold>N</bold>
            <bold>O</bold>
          </td>
          <td>
            <bold>EXPLAIN</bold>
          </td>
        </tr>
        <tr>
          <td colspan="5"> THE COMPANY'S EXPOSURE TO CYBERSECURITY RISK</td>
        </tr>
        <tr>
          <td>1.</td>
          <td>Is the organisation dependent on information systems to run its day-to-day business?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>2.</td>
          <td>Does the company's business requires the processing and storage of personal data?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>3.</td>
          <td>Does the company allow employees or collaborators to remotely access the organisation's systems?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>4.</td>
          <td>Does the organisational culture encourage reporting security issues?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>5.</td>
          <td>Have data leaks or IT incidents been identified in recent years?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td colspan="5">CYBERSECURITY MEASURES IMPLEMENTED BY THE COMPANY </td>
        </tr>
        <tr>
          <td>1.</td>
          <td>Does the company have guidelines for the use of information systems and the protection of sensitive data?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>2.</td>
          <td>Is access to sensitive data restricted to certain individuals who are trained annually on cyber risks, and is employee access regularly reviewed?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>3.</td>
          <td>Are IT systems regularly updated and monitored for signs of attack or unusual activity?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>4.</td>
          <td>Are anti-virus applications and multi-factor authentication installed? </td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>5.</td>
          <td>Is there a tested cyber attack response plan?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td colspan="5">THE POSITIONING OF THE INTERNAL AUDIT FUNCTION</td>
        </tr>
        <tr>
          <td>1.</td>
          <td>Does the internal auditor have access to all company IT systems?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>2.</td>
          <td>Is the internal auditor familiar with global regulations for assessing cybersecurity (COBIT, NIST, ISO27001)?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>3.</td>
          <td>Does the internal auditor have ongoing discussions with the IT team or person responsible for security?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>4.</td>
          <td>Are cybersecurity audits included in the annual audit plan?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>5.</td>
          <td>Have there been concrete proposals from internal audit related to the company's cybersecurity?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td colspan="5">LEVEL OF TRAINING OF INTERNAL AUDITORS</td>
        </tr>
        <tr>
          <td>1.</td>
          <td>Is the internal auditor IT literate and qualified?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>2.</td>
          <td>Is the internal auditor able to assess whether the technical controls implemented are relevant to the risks to which the company is exposed?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>3.</td>
          <td>Does the internal auditor have the ability to prioritize cyber risks based on the amount of damage to the organisation?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>4.</td>
          <td>Is the internal auditor involved in assessing risk control systems as they are being developed, not retrospectively?</td>
          <td/>
          <td/>
          <td/>
        </tr>
        <tr>
          <td>5.</td>
          <td>Does the auditor in turn use smart technologies for continuous monitoring?</td>
          <td/>
          <td/>
          <td/>
        </tr>
      </table>
    </table-wrap>
    <p>
      <italic>Source</italic>
      <italic>: </italic>
      <italic>own</italic>
      <italic>processing</italic>
    </p>
    <p>In setting the scores, we propose three appropriate levels for each dimension: low, medium, high, which are set according to the number of affirmative answers. We consider a low level when negative answers predominate, a medium level when the number of yes answers is 3, and a high level is equivalent to 4 or 5 yes answers. To interpret the per-set table, we will correlate the answers given for the first dimension with those for the other dimensions. According to these levels of each dimension, we logically interpreted the results, deriving 6 organisational profiles described in the following paragraphs:</p>
    <p><italic>Unexposed and unprepared organisation </italic>(0 positive answers at first dimension) Although their field of activity does not force them to protect themselves from cyber-attacks and they have not suffered any incidents, the lack of current exposure creates a false security, and in the current context, this profile is the most vulnerable to becoming the target of attackers if they do not invest in prevention measures and internal audit training.</p>
    <p><italic>Unexposed and Prepared Organisation</italic>(0 positive answers at first dimension) These companies are the most secure, although the risk is low, they have still chosen to protect themselves and involve internal audit in cybersecurity.</p>
    <p><italic>Exposed</italic><italic>and</italic><italic>unprepared</italic><italic>organisation</italic>.(0-6 positive answers)- This type of entity is susceptible to cyber risks, lacking technical measures and internal audit involvement. In this case urgent decisions should be taken to integrate cybersecurity into the audit processes; the internal auditor should actively participate in the development of procedures and rules, should strengthen the relationship with the IT department in the shortest possible time and invest heavily in technical knowledge training.</p>
    <p><italic>Protected organisation but without governance</italic>: (7-11 positive answers). Entities  this category are exposed to cybersecurity risks, have integrated measures, but internal audit is not actively involved. Therefore, organisations at this stage need to consider integrating internal audit into cybersecurity, as the existence of measures does not guarantee their effectiveness. Although the fact that the IT department is in charge of risk prevention, they do not provide independent assurance but are subjective. Auditors may point out that risks are not properly assessed Although not as urgent as in the first case, the reorganisation of the internal audit function needs to be done.</p>
    <p><italic>Exposed but aware organisation</italic><italic>: </italic>(12-16 positive answers) For these organisations, a relationship between cybersecurity and internal audit is already starting to take shape, but it is still developing, it does not meet all the requirements and there is space for improvement. Internal auditors need to take their role more seriously, consolidate relations with the IT department, improve their security knowledge and continuously evolve a training plan.</p>
    <p><italic>Mature integrated organisation</italic><italic>: </italic>(17-20 positive answers) The companies that are in this category have already integrated cybersecurity into their internal audit, trained auditors, well-developed measures and a high level of exposure. Internal auditors must continue to improve; procedures and controls require regular review and optimisation.</p>
    <list list-type="order">
      <list-item>
        <p>
          <bold>Concl</bold>
          <bold>u</bold>
          <bold>sions</bold>
        </p>
      </list-item>
    </list>
    <p>The present study aimed to analyze the integration of cybersecurity into the internal audit process through a systematic review of the literature. The first finding is related to the novelty of the topic; the relevant studies were published after 2017, and there are enough aspects not yet discussed. Starting from the 16 identified studies, in our research, we managed to compile the topics into three thematic categories, as we wanted to provide a more structured view of what it means to integrate cybersecurity into the internal audit process. Following this categorization, we could clearly see that the researchers' interests are focused on the reorganisation of the audit function, the skills needed by future professionals, and the financial impact that cyber criminals can cause to companies that neglect cybersecurity risk.</p>
    <p>This study contributes to the literature by thematically structuring the research on internal audit and cybersecurity in three directions: role, measures, determinants that can be starting points for future analysis. On the application side, the self-assessment sheet and the 6 organisational profiles support organisations in understanding their own positioning and in implementing improvements in the relationship between internal audit and cybersecurity. In contrast to a simple checklist, the proposed tool has a comparative function as the questions are drawn from international literature reviews and organisations can benefit from an assessment against existing global trends and recommendations.</p>
    <p>This research was constrained by open access to scholarly materials on the Web of Science platform, and since this study was conducted  critical thinking, we consider the risk of arbitrary categorization, as some research included in the analysis was on the borderline between one category and another.</p>
    <p>After examining the existing topics, we found that the issue of cybersecurity in underdeveloped or developing countries is treated superficially or example in Romania, such a topic has not yet been addressed, therefore we propose  future research directions investigate the challenges faced by Eastern European countries. The factors that determine the effectiveness of a cyber audit should be studied individually and, last but not least, the need to update the regulatory frameworks should be emphasized. Additionally, to refine the proposed tool, future studies could focus on the practical application of the checklist and the comparison of profiles by business sectors.</p>
  </body>
  <back/>
</article>
