“does not allow incorporating the importance of the audit process of systems and management of
security details at operational level of business process” (Mishra and Dhillon 2006, 21). In addition, a recent
web-survey conducted by the Institute of Internal Auditors (IIA) recommends a partnership approach between
internal audit and IT operations to improve returns on IT control activity investments (Phelps andMilne 2008).
This lack of attention to the operational dimension of information security governance in general and to the
specific relationship between the internal audit and information security functions is surprising, given the
emphasis the normative literature places on these issues. For example, COBIT specifically prescribes that
management should “establish and maintain an optimal co-ordination, communication and liaison structure
between the IT function and … the corporate compliance group” (PO4.15). In addition, “the control
environment should be based on a culture that…encourages cross-divisional co-operation and teamwork …”
(PO6.1). Furthermore, it is important to “obtain independent assurance (internal or external) about the
conformance of IT with …the organization's policies, standards, and procedures …” (ME 4.7).