The Impact of Internal Audit Function Quality Determinants and Cybersecurity Governance Structure on Cybersecurity Risk Management Indicators: Using Partial Least Squares Structural Equation Modeling (PLS-SEM)

This research aims to analyze the impact of internal audit function quality determinants and the structure of cybersecurity governance on the enhancement of cybersecurity risk management indicators within organizations, especially amid the growing complexity and severity of cyber threats. The significance of this research lies in its attempt to provide both a practical and academic framework that supports organizations in mitigating such risks by strengthening internal audit quality and activating an effective cybersecurity governance structure.
The research has three main objectives: (1) to examine the effect of internal audit quality determinants from an input-based perspective (e.g., professional competence, training, and independence); (2) to analyze the effect of a cybersecurity governance structure based on the Five Lines of Accountability (5LoA) model; and (3) to investigate the joint interactive effect of both on cybersecurity risk management indicators across its various stages (prevention, detection, response, and recovery).
 A quantitative methodology was employed using Partial Least Squares Structural Equation Modeling (PLS-SEM) and based on field data collected from Egyptian firms operating in sectors highly sensitive to cybersecurity risks. The theoretical framework of the research is grounded in the literature on internal auditing and cybersecurity governance, with a particular emphasis on the Five Lines of Accountability (5LoA) model. This model integrates the roles of the board of directors, executive management, IT, information security, and internal audit in the effective management of cyber risks.
The results revealed that internal audit function quality—especially professional competence and independence—has a significant positive impact on enhancing organizations' capabilities to manage cyber risks. Additionally, having a cybersecurity governance structure based on the 5LoA model contributes to improved coordination among organizational units, thereby increasing the effectiveness of both prevention and incident response. Moreover, the research demonstrated that the interaction between audit quality and cybersecurity governance creates a cumulative effect that boosts risk management maturity and reduces the consequences of cyber incidents.
The research concludes with a recommendation to invest in developing internal auditors’ technical competencies and to broaden their operational independence, alongside adopting an inclusive governance model that ensures the active participation of all relevant stakeholders in cybersecurity. It also advises the application of specific performance indicators to measure cybersecurity risk management maturity and the use of professional frameworks as reference points in designing control and accountability structures.
This research addresses a notable gap in accounting literature concerning the interactive relationship between internal auditing and cybersecurity governance and opens future avenues for research applying this model in different organizational contexts, with the potential to develop quantifiable performance-based evaluation frameworks.