The relationship between internal audit and information security: An exploratory investigation Paul John Steinbart a, ⁎, Robyn L. Raschke b,1 , Graham Gal c,2 , William N. Dilla d,3 a Department of Information Systems, W. P. Carey School of Business, Arizona State University, Box 874606, Tempe, AZ 85287-4606, United States b University of Nevada Las Vegas, 4505 S. Maryland Parkway Box 456003, Las Vegas, NV 89154-6003, United States c Isenberg School of Management, University of Massachusetts, Amherst, MA 01003, United States d Department of Accounting, College of Business, Iowa State University, 2330 Gerdin Business Building, Ames, IA 50011-1685, United States article info abstract Article history: Received 27 May 2011 Accepted 1 June 2012 The internal audit and information security functions should work together synergistically: the information security staff designs, imple- ments, and operates various procedures and technologies to protect the organization's information resources, and internal audit provides periodic feedback concerning effectiveness of those activities along with sugges- tions for improvement. Anecdotal reports in the professional literature, however, suggest that the two functions do not always have a harmonious relationship. This paper presents the first stage of a research program designed to investigate the nature of the relationship between the information security and internal audit functions. It reports the results of a series of semi-structured interviews with both internal auditors and information systems professionals. We develop an exploratory model of the factors that influence the nature of the relationship between the internal audit and information security functions, describe the potential benefits organizations can derive from that relationship, and present propositions to guide future research. © 2012 Elsevier Inc. All rights reserved. Keywords: Internal audit Information systems security Security behaviors 1. Introduction Information security is necessary not only to protect an organization's resources, but also to ensure the reliability of its financial statements and other managerial reports (AICPA and CICA, 2008). Consequently, International Journal of Accounting Information Systems 13 (2012) 228–243 ⁎ Corresponding author. E-mail addresses: paul.steinbart@asu.edu (P.J. Steinbart), robyn.raschke@unlv.edu (R.L. Raschke), gfgal@isenberg.umass.edu (G. Gal), wdilla@iastate.edu (W.N. Dilla). 1 Tel.: +1 702 895 5756. 2 Tel.: +1 413 545 5649. 3 Tel.: +1 515 294 1685. 1467-0895/$ – see front matter © 2012 Elsevier Inc. All rights reserved. doi:10.1016/j.accinf.2012.06.007 Contents lists available at SciVerse ScienceDirect International Journal of Accounting Information Systems