The survey indicated a somewhat jaundiced view of the effectiveness of regulatory requirements. Only 40 percent of the auditors said that the organizations they serve believe that compliance actually improves their data security. Two-thirds said that internal policies were a prime means for assessing data security compliance, while just over half cited regulations and laws. Fewer cited industry mandates (45 percent) and contract obligations (34 percent).
Ponemon surveyed 505 auditors, two-thirds of whom characterized themselves as internal auditors. Four of 10 work for business corporations, with the balance spread among auditing and accounting firms, IT consulting and security services companies, and government.
Internal auditors were generally more negative about their organizations' security programs than their external counterparts. For example, 51 percent of external auditors said the organizations they audit make data security a priority, compared with 38 percent of internal auditors. Business units generally control compliance budgets but are not considered the part of the organization most responsible for compliance, the auditors said.
"It's kind of like the fox guarding the hen house," said Larry Ponemon, the institute's chairman and founder. "Business units rather than the law department, IT organization or even compliance own budget, and they determine whether or not to invest in audit." The survey showed that business units control audit budget in 54 percent of the organizations, but are considered primarily responsible for audit in fewer than a quarter of the cases.