ABSTRACT: The Sarbanes-Oxley Act of 2002 (SOX) created a resurgence of organizational focus on internal controls. In this study, we examine the extent to which the information technology (IT) controls suggested by the ISO 17799 security framework have been integrated into organizations’ internal control environments. We collected survey data from 636 members of the Institute of Internal Auditors (IIA) on the current usage of IT controls in their organizations. In addition to identifying the most and least commonly implemented IT controls, the survey results indicate that control implementation differences exist based on a company’s status as public or private, the size of the company, and the industry in which the company operates. Training of internal auditors and/or IT personnel is also associated with significant differences in implemented controls. We discuss the implications of our research and offer suggestions for future research.

This content is only available via PDF.
You do not currently have access to this content.