Date of Award

Spring 3-5-2010

Document Type


Degree Name

Doctor of Science in Information Systems


Business and Information Systems

First Advisor

Wayne Pauli

Second Advisor

Douglas Knowlton

Third Advisor

Patrick Engebretson

Fourth Advisor

Surendra Sanikar


The Defense-in-Depth (DiD) theory has been accepted by most information security specialists and has been adopted by the Department of Defense (DOD) as a general methodology for improving any organization's information security posture. However, none of today’s information technology (IT) audit frameworks incorporate all aspects of the DiD theory (National Security Agency, n.d.). Banks and other financial institutions are, according to regulations, required to develop an IT audit program to support their respective IT infrastructure, to keep nonpublic customer information secure, and to conduct a risk-based audit on an annual basis (FDIC, 2000). The regulatory prescribed audit can be conducted either internally or externally. Whether the institution is conducting an internal IT audit or is contracting with an external firm to complete the audit, the question remains the same—how to complete the IT audit successfully. Because regulators provide little or no guidance to financial institutions, it is difficult to prepare for IT audits. Of the available frameworks, none are customized to provide feedback for both, adequacy and compliance, and none includes the human factors of auditing. The purpose of this study is to develop a holistic IT audit framework that incorporates the important DiD theory and is customized for small- and medium-sized financial institutions. The newly created framework is based on commonly accepted information security practices, federal regulations, current IT audit frameworks, and has been validated using the design science methodology. Furthermore, implementation using a multiple case study has been completed, and the results have been analyzed. This research is significant as very little empirical data is available in the IT audit field. The framework is one of the first of its kind to illustrate a blueprint of a risk-based IT audit for small- and medium-sized financial institutions. Portions of this research have been further validated in academic journals and peer-reviewed conference proceedings.