Jurnal TRANSFORMATIKA Vol.
No.
Januari 2026, pp.
135 - 154
P-ISSN: 1693-3656.
E-ISSN: 2460-6731
https://journals.
id/index.
php/transformatika/ npage 135 Cyber Security Audit in Information Technology Governance: A Literature Review and Future Research Agenda Nazri Sidqi Fachriaz1.
Saifudin Saifudin2* 1Dian Nuswantoro University/Informatics Jalan Imam Bonjol 207 Semarang, 62 .
3517261, e-mail: 111202516125@mhs.
2Universitas Semarang (USM)/Accounting Jalan Soekarno Hatta Semarang, 62 .
6702757, e-mail: saifudin@usm.
ARTICLE INFO
ABSTRACT
History of the article :
Received 23 Agustus 2025 Received in revised form 20 Desember 2026 Accepted 9 Januari 2026 Available online 30 Januari 2026 This study aims to examine cyber security audits in information technology governance (ITG) more deeply using a literature review approach.
The method used in this research is a systematic literature review by applying PRISMA (Preferred Reporting Items for Systematic reviews and MetaAnalysi.
method approach with 25 years of observation from 1999 to 2024.
980 articles were obtained, nevertheless, only 36 articles were The research results show that cyber security audit is compatible and closely related to information technology governance (ITG), mainly the domain regarding the need for the board of directors to understand and to master cyber security audit skills to overcome violations and data leaks in IT governance.
Cyber security audit and information technology governance (ITG) are two key components to maintain information security as well as to manage information technology Integration between the two in a conceptual framework helps organizations identify, manage and mitigate cyber risks and maintain alignment with business objectives.
Keywords:
cyber security audit.
information technology governance (ITG).
systematic literature review.
future research * Correspondence:
Telepon:
E-mail:
saifudin@usm.
INTRODUCTION
Current digital era has brought unprecedented levels of connectivity, convenience and innovation, but also new risks, mainly in the form of cyber threats.
The ever-evolving nature of cyber threats presents significant challenges for all entities .
It is essential for all entities to combine strong cyber security audit practices with information technology governance (ITG) principles to maintain information security and to run business operations smoothly as well .
TRANSFORMATIKA.
Vol.
No.
Januari 2026, pp.
135 - 154
Cyber security audit is a process of monitoring systems, networks, and information security practices to identify potential threats and to evaluate existing levels of protection .
, .
, while ITG is a structure which directs decision making and management of IT resources to achieve organizational goals .
Both domains have a crucial role for managing risk, ensuring compliance, and improving operational efficiency .
, .
, .
Therefore, developing a conceptual framework which combines the two is an essential step for any entities in todayAos dynamic modern era.
The following figure 1 is an overview of the latest mapping of the relationship between cyber security audit and ITG:
Figure 1.
Mapping the relationship between cyber security audit and ITG by theme Source: VOS viewer, 2025 As seen in figure 1 above, it can be stated that ITG is central to the studies which are most widely used as research material.
Moreover, when closely observed, cyber security is the variable which has the most connectivity associated with ITG.
Figure 2 shows recent themes that can be associated with ITG.
Cyber Security Audit in Information Technology Governance: A Literature Review and Future Research Agenda (Fachria.
Figure 2.
Mapping the relationship between cyber security audit and ITG by years Source: VOS viewer, 2025 Based on Figure 2, studies from the most recent years, i.
2020 and above, which is symbolized by a yellow point image, show that the theme of cyber security audit is the most central theme used as material for studies and research related to ITG.
Following to these facts, this research is aimed to examine cyber security audits in ITG more deeply using a literature review approach.
Cyber security Audit Cyber security audit is a systematic and structured process for evaluating the level of security of an organization against cyber threats .
, .
Ae.
This cyber security audit involves data collection, risk analysis, and examination of policies and security practices .
, .
, .
The results of the audit are used to identify weaknesses and to design necessary improvements .
In addition, the steps taken include data collection, i.
by collecting information about systems, networks and security practices that exist within the organization.
Furthermore, a risk analysis is conducted, i.
by analysing potential threats and their impact on the organization.
The next step is compliance evaluation, namely checking the organizationAos compliance with security standards and applicable regulations by identifying weaknesses, which then need to be corrected.
The final stage is reconstruction and improvement, i.
implementing changes and improvements to enhance the Information Technology Governance (ITG) ITG is a framework that helps organizations manage IT resources effectively .
, .
Ae.
The goal is to ensure that information technology supports business objectives, manages risks well, and complies with applicable regulations .
ITG involves components, including: first, leadership and strategy on IT by developing an IT vision and strategy that supports organizational second, measuring performance by monitoring and measuring IT performance to ensure efficiency and effectiveness.
third, risk management is carried out by identifying, evaluating and managing risks related to IT.
and the fourth one, internal control by implementing internal control to protect IT assets and ensure compliance.
Integration of Cyber security Audit with ITG A conceptual framework that combines cyber security audit and ITG to ensure that information security practices are aligned with organizational goals.
Several ways of this integration can be elaborated as seen in Figure 3 below:
https://doi.
org/10.
26623/transformatika.
TRANSFORMATIKA.
Vol.
No.
Januari 2026, pp.
135 - 154
Figure 3.
The conceptual framework of the adoption of the five lines of accountability Source: .
RESEARCH METHODS In this research, the approach used is a systematic literature review (SLR).
SLR is a method of synthesizing scientific evidence to answer a specific research question in a transparent and reproducible way by incorporating all the evidence which has been published on the topic and assessing the quality of the evidence.
also added that SLR has become the main methodology used in various scientific disciplines.
These also include auditing .
The following are the stages of research using the SLR approach based on several references .
Ae.
The steps in the searching stage are divided into several processes, i.
identification, screening, eligibility and inclusion.
This step is in accordance with the guidelines in PRISMA (Preferred Reporting Items for Systematic reviews and Meta-Analysi.
PRISMA is a series of evidence-based minimums which aims to help report various systematic reviews and meta-analyses that assess benefits .
, .
Searching stage was conducted using Publish or perish (PoP) tools.
PoP is a phrase that describes the pressure placed on academics to publish in scientific journals quickly and continuously as a condition for getting a job .
ooking for wor.
, promotion, and even maintaining oneAos job .
The steps in SLR-based research are elaborated in Figure 4 as follows:
Cyber Security Audit in Information Technology Governance: A Literature Review and Future Research Agenda (Fachria.
Figure 4.
Steps in the systematic literature review Source: .
In accordance with Figure 4 above, the first stage is planning or preparation.
Preparation stage covers preparing the supporting tools used to process the articles to be selected.
The tools prepared for searching actions are PoP and VOSviewer which have proven to be very relevant to use .
At this planning stage, there are research questions (RQ) proposed, i.
how is cyber security audit used in ITG? (RQ.
and what cyber security audit domains are used in ITG? (RQ.
The second stage is literature searching, i.
the process of obtaining relevant research articles to obtain answers to research questions .
The following databases were selected for the literature searching: .
Science Direct, .
Scopus.
com, .
Google Scholar.
Selected articles range from publication from 1999 to 2024.
The literature search strategy used the keywords AuCYBER SECURITY AUDITAy and AuINFORMATION TECHNOLOGY GOVERNANCE (ITG)Ay.
The third stage is conducting analysis.
In the analysis stage, the papers resulted from literature searching were selected by employing PoP application.
The literatures obtained were then selected based on inclusion and exclusion criteria according to the needs used in this research.
These criteria are as Inclusion criteria:
The language used is English .
The articles are published in international journals between 1999 and 2024 .
The articles discuss about cyber security audit which is related and relevant to information technology governance .
The articles are available in full text form Exclusion criteria:
The articles are not available in full text form .
The articles do not explain about cyber security audit which is related and relevant to information technology governance .
The articles lack relevant research methods .
The language used is not English The fourth stage is reporting.
Reporting stage includes providing a quality assessment of the scientific articles that have been selected by establishing quality criteria.
The Quality Assessment (QA) criteria in this research are as follow:
- QA1: Does the paper contain the relationship between cyber security audit and ITG? https://doi.
org/10.
26623/transformatika.
TRANSFORMATIKA.
Vol.
No.
Januari 2026, pp.
135 - 154
- QA2: Does the paper state the cyber security audit domain used in ITG? RESULTS AND DISCUSSIONS Based on the explanation of the stages in the research methodology previously elaborated, the SLR stages were carried out starting with planning and searching.
Figure 5 shows an overview of study searching results using PoP:
Figure 5.
Results of the Search for the Relationship between Cyber security Audit and ITG in 1999-2.
Source: Publish or Perish, 2025 According to the results of investigation on the relevant articles using publish or perish (PoP), 980 articles were obtained from 1999 to 2024 .
time span of 25 year.
Searches using PoP are based on the keyword index used, i.
AuCYBER SECURITY AUDITAy and AuINFORMATION TECHNOLOGY GOVERNANCE (ITG)Ay.
From the 980 articles obtained, the SLR stage was then continued using the PRISMA method as described in this following Figure 6:
Cyber Security Audit in Information Technology Governance: A Literature Review and Future Research Agenda (Fachria.
Figure 6.
PRISMA Diagram Source: personalized processed data, 2025 It can be concluded based on Figure 6 above that the identification results of 980 articles were successfully collected.
Then, selection was carried out by sorting the data, i.
checking the titles to avoid duplicate titles and articles whose studies were not relevant.
This stage resulted in 751 relevant articles obtained.
Furthermore, these 751 articles were analysed in more depth to obtain relevant data.
The expected data criteria were that the article must have research ideas relevant to this research topic, i.
cyber security audit and ITG, and should have research methodology contributing to the theme.
The selection stage resulted in the remaining titles, i.
relevant articles.
In the eligibility stage, only 36 articles were obtained.
It is called eligible when the article has full text after screening, is original, has a good design in its methodology, significant research results, and has an appropriate and proper research concept.
The 36 articles that were successfully obtained for themes corresponding to cyber security audit in ITG came from journals as seen in table 1 below:
Tabel 1.
Breakdown of Reviewed Studies https://doi.
org/10.
26623/transformatika.
TRANSFORMATIKA.
Vol.
No.
Januari 2026, pp.
135 - 154
Source: personalized processed data, 2025 As seen in Table 1, it can be seen that the most studies on cyber security auditing in ITG were found in 4 articles concerning Information and Computer Security.
International Journal of Accounting Information Systems.
Journal of Information Systems and Managerial Auditing Journal.
Furthermore, 2 articles are in the journals Digital Policy.
Regulation and Governance.
Journal of Management and Governance and Sensors.
Apart from these journals, each submitted 1 article.
Based on the years studied, it turns out that the theme of cyber security audit in ITG has merged since 1999 and has only started to be researched in 2007.
Thus, this theme has only been running for 17 years as shown in Figure 7 as follows:
Cyber Security Audit in Information Technology Governance: A Literature Review and Future Research Agenda (Fachria.
Figure 7.
Trends of Cyber security in ITG Over Period of 2007-2024 Source: personalized processed data, 2025 As described in Figure, cyber security audit theme in ITG was most frequently found in 2023, 8 articles, followed by 2022 and 2018 respectively with 6 articles each.
Furthermore, in 2017, 2021 and 2024 there are 3 articles each.
Meanwhile, specifically for 2024, the data obtained is only available until April 2024 .
y the time this study was conducte.
The following Figure 8 describes the research methodology carried out on the theme of cyber security audit in ITG:
Figure 8.
Breakdown of Research Methods Source: personalized processed data, 2025 Figure 8 above describes that the cyber security audit theme in ITG mostly uses research methods with the survey method, i.
17 articles with 10 articles using the conceptual framework Furthermore, there were 5 articles using the literature review method and 3 articles using the qualitative method and only 1 article using a qualitative and quantitative mix-method.
The SLR study with the theme of cyber security in ITG resulted in 36 selected articles, which summarize the results and recommendations for future studies as discussed in the following Table https://doi.
org/10.
26623/transformatika.
TRANSFORMATIKA.
Vol.
No.
Januari 2026, pp.
135 - 154
Table 2.
Summary of Research Results and Recommendations for Future Research No.
Years Author Name of Journals Research Results Recommendations for Future Research International Journal of Accounting Information Systems that there is a causal relationship between management and IT professionals are concerned with design, implementation, and assessment of IT governance strategies Future research needs to check interviews at various levels of industry scale about IT governance, in addition it also needs to include external partners in IT governance, then also examine the attitudes of several business units towards IT governance in large and complex also align IT governance with IT value drivers, and finally include conducting action research in the COBIT framework.
International Journal of Accounting Information Systems Future research could reconfirm, as the nature of the relationship between internal audit and information security and information system security functions differs across the four institutions studied.
Journal of Information Systems The research developed an exploratory model of factors that influence the nature of the relationship between the internal audit function and information security, illustrating the potential benefits that organisations can derive from the relationship.
benefits that organisations can derive from the relationship that there is a positive relationship between information security and the internal audit function within organisations.
Future research could examine the relationship between information security and the internal audit function within organisations, by developing a more reliable measure of information security Cyber Security Audit in Information Technology Governance: A Literature Review and Future Research Agenda (Fachria.
Digital Policy.
Regulation and Governance .
Digital Policy.
Regulation and Governance .
Review of Accounting Studies .
Managerial Auditing Journal
AMCIS 2017
https://doi.
org/10.
26623/transformatika.
that a strong market and network governance structure that is more limited to the role of hierarchical structures can use purely hierarchical methods governance structure.
the need for a board of directors with IT governance security expertise in a business the results show that the private sector internalises some externalities, mostly on a voluntary basis and through network governance this is the first step in the development of cyber The findings of this research, found that undisclosed cyberattacks were associated with an 6% drop in equity value in the month that the attack was discovered, and disclosed attacks had a much lower drop of 0.
The result of this article is that there are four main cyber-focused standards and frameworks in the current literature, namely.
Control Objectives for Information and Related Technology.
International Organization for perceptions of the role of internal audit, and then adapting the instrument to measure internal auditors' perceptions of the role of internal In the future, there needs to be an alignment of the private and government sectors in the implementation of cyber security, both in ex ante .
efore the inciden.
and ex post .
fter the inciden.
there needs to be a board of directors with IT governance security expertise in a business entity, if there is none, then there needs to be an internal auditor who has this expertise.
Future research is needed to identify how these mechanisms can be expanded or augmented to further improve cyber security governance.
Future research is expected to add other variables to find out what factors cause the impact of cyber security on reducing Cyber risk is not something that can be avoided, but rather must be managed.
Therefore, future research could consider internal audits as they are an integral part of the TRANSFORMATIKA.
Vol.
No.
Januari 2026, pp.
135 - 154
Standardization.
The American Institute of Certified Public Accountants, and National Institute of Standards and Technology.
the results showed that the level of cyber security audit is significantly and positively related to the Internal Audit Function's (IAF) competence in governance, risk, and With a cyber security audit, companies benefit from risk management, especially from cyber threats and exploitation.
Managerial Auditing Journal Managerial Auditing Journal Accounting.
Organizations and Society that the quality of the relationship between the internal audit and information cyber security functions affects an objective measure of the overall effectiveness of an organisation's information security .
Information and Computer Security .
Managerial Auditing Journal The outcome of this article is to clearly define the relationship between cyber security and information security, especially from a governance perspective.
Cyber testing techniques provide insight into the effectiveness of implementing actual cyber security controls .
Journal of Information Systems The research found that breaches are associated with increased costs, but cyber security assurance process.
Future research could focus on the reasons for low audit involvement in cyber security audits.
Future research can further develop this This study is the first study in characterising the notion of Cyber security Loafing.
an important topic for future research is to investigate the the effect of these internal audit quality measures, not only on the the relationship between the internal audit function and the information security function, but also on information security rities, but also on information security The limitation of this article is that it is based on ISO alone.
so future research, can develop more outside ISO With the presented cyber testing traditional processoriented assurance techniques, future research can test cyber with other Future researchers can test with other methods or other Cyber Security Audit in Information Technology Governance: A Literature Review and Future Research Agenda (Fachria.
the impact is driven by external breaches.
International Journal of Critical Infrastructures The results found that there is a significant and direct relationship between both ITG and the level of corporate cyber security .
Auditing: A Journal of Practise & Theory .
Current Issues in Auditing .
SSRN Electronic Journal This research found that only cyber incidents were associated with an increase in audit fees and the relationship was was driven by more severe incidents.
that information about frameworks in information security and cyber security that are based on such as ISO27001:2013, the NIST Cyber security Framework and ISO27009 is feasible and This research literature review provides evidence that board IT committees, management teams with IT expertise, and audit committees can play an active role in mitigating security breaches.
Researchers found that normative power .
yber security certification of internal auditor.
and human agency factors significantly explain the effectiveness of Cyber security Audits.
Applied Sciences CENTERIS https://doi.
org/10.
26623/transformatika.
The results of this study propose a generalised, client-centred cyber variables about whether auditors have the risk of price gouging into their fees and whether the company's internal governance can mitigate the potential increase in audit fees.
Future research needs to examine the factors that influence the need for a board of directors who master cyber security, have knowledge and Future research is expected to use variables other than audit fees in relation to cyber incidents.
For future research, it is expected to improve the implementation of the framework that has been made, which refers to the ISO 27001: 2013based audit project.
Further research is needed to understand how companies can better address and prevent the different types of cyber security breaches that affect organisations.
To establish the robustness of the findings, future research could measure isomorphic strength and human agency factors with alternative indicators or use different For future research, it is expected to examine audits to TRANSFORMATIKA.
Vol.
No.
Januari 2026, pp.
135 - 154
security audit information system integrated with the web.
Journal of Management and Governance The main findings of this study suggest that the presence of a committee responsible for cyber security on the board of directors is key to improving cyber security .
Information and Computer Security .
Procedia Computer Science The finding of this article is that each cyber security capability can be further operationalised with a set of cyber security controls derived from various frameworks, standards, and guidelines, such as COBITV R.
CISV R.
ISA/IEC 62443.
ISO/IEC 27002, and NIST publication 800-53.
The outcome of this paper is to provide insights for strategic and tactical business decision support suitable for mitigating possible cyber security breaches and threats with a System Dynamics Modelling (SDM) approach.
International Journal of Accounting Information Systems .
Computer and Security The research found that cyber security Audit Index scores varied widely, with an average of 58 on a scale of 0 to On the other hand, the planning and execution phases were strongly and positively correlated, but less associated with reporting on the effectiveness of cyber risk management to the Board of Directors.
This research proposes an architecture-based security conceptual evaluate and mitigate information security risks with other method approaches.
The results of this study, which show the relationship between various board characteristics and the overall level of cyber security disclosure as well as its individual aspects, can be further developed by future researchers with other variables.
For future research, it is recommended that separate but integrated enterprise IT and ICS cyber security teams be established in one security operations The results of the framework in this study can be further developed by future researchers to open up insights for strategic and tactical business decision support suitable for mitigating possible cyber security breaches and threats.
In the future, it is necessary to improve in measuring the effectiveness of cyber security audits and their effect on cyber risk future research can develop an architecture-based security conceptual Cyber Security Audit in Information Technology Governance: A Literature Review and Future Research Agenda (Fachria.
Information and Computer Security .
Journal of Cyber security and Privacy .
Sensors .
Information and Computer Security https://doi.
org/10.
26623/transformatika.
framework that has three namely system representation model type, security representation model type, and security process model type.
The result of this research is that not all financial analysts consider cyber security information in their investment analysis process and not all financial analysts find cyber security disclosures in corporate financial statements useful.
The framework developed in this research, incorporates various components that are not considered in existing frameworks, such as research and development, publicprivate collaboration framework, regional and international cooperation framework, incident management, business continuity, disaster recovery framework, and compliance with laws and The result of this research is that a comprehensive framework is proposed for implementing cyber threat intelligence (CTI) in organisations.
The findings of this study indicate that the Cyber Trust Programme (CTP) has a significant impact on the cyber security assurance of government entities participating in the CTP.
framework that has three components namely system representation model type, security representation model type, and security process model type.
Future research can help define and develop measures for reliable and quantitative and qualitative cyber security data As a next step, the evaluation and validation of the proposed framework will be conducted in the selected organisations to see its effectiveness.
Future research is expected to develop a framework proposed for implementing cyber threat intelligence (CTI) in organisations that is tailored to the needs and resources Future research is expected to evaluate how the cyber trust programme (CTP) improves managers' decision-making skills and competencies, as well as how resources are allocated and how the CTP is matched to organisational needs.
TRANSFORMATIKA.
Vol.
No.
Januari 2026, pp.
135 - 154
International Journal of Accounting Information Systems .
Journal of Management and Governance .
Continuity & Resilience Review The results of this article show that cybercrime can be mitigated by using CCMF .
ybercrime mitigation framewor.
to detect, assess, analyse, evaluate and respond to cybercrime to enhance security in an organisation's evolving threat landscape.
International Journal of Disclosure and Governance The research qualitatively provides evidence that public companies are addressing cyber security-related issues, emphasising how the three lines of defence .
nternal audit, information technology Sensors The researcher found that all the organisations studied adopted the 5 LoAs clearly to improve the effectiveness of cyber security governance.
This research finds evidence that effective boards has a positive effect on companies' decision to disclose cyber security information, and that board independence and financial expertise have a positive impact on the amount of these This research classifies and analyses common security compromises related to IoT layered architectures, including communication, and management protocols.
Future research can develop 5 LoAs to improve the effectiveness of cyber security Future research is expected to improve on the shortcomings of this research in examining the impact of board effectiveness on issues related to cyber security Future research is expected to further develop the classification and analysis of common security intrusions related to IoT layered communication, and The challenge researchers will face in the future, is to conduct research on the evolving organisational threat landscape including:
caused by the integration of various network nodes and, subsequently, factors that influence these include inadequate threat intelligence gathering, lack of third-party audits and inadequate control the results of this research can be qualitatively and quantitatively in the future to show evidence that public companies are addressing cyber Cyber Security Audit in Information Technology Governance: A Literature Review and Future Research Agenda (Fachria.
Journal of Information Systems .
Journal of Information Systems (IT), and information security (IS)), can contribute to cyber security effectiveness.
The research was able to find a relationship between cyber security risk and audit pricing We found that audit firms that have experience with clients that experienced a cyber security breach, ceteris paribus, charge higher audit fees than clients that did not experience a breach.
security-related Future research is expected to improve on the shortcomings of this research in examining the relationship between cyber security risk and audit pricing.
future research could add other variables besides auditorsAo experience with their clientsAo cyber security incidents, to influence subsequent audits and help those clients reduce cyber security risks.
Source: personalized processed data, 2025 Based on Table 2, it can be elaborated that cyber security audits are generally immensely needed in ITG.
Moreover, several studies previously stated above emphasize that it is highly recommended that the board of directors master cyber security audit, so that they are able to anticipate various impacts arising from violations and data leaks related to information technology In this section, it is explained the results of research and at the same time is given the comprehensive discussion.
Results can be presented in figures, graphs, tables and others that make the reader understand easily.
CONCLUSIONS AND RECOMMENDATIONS
Cyber security audits and Information Technology Governance are two key components needed to maintain information security and manage information technology effectively.
Integration between the two in a conceptual framework helps organizations identify, manage and mitigate cyber risks while maintaining alignment with business objectives.
Building a solid understanding of this relationship is an important step for facing the increasingly complex cyber security challenges of todayAos digital era.
Future studies are recommended to develop this research in terms of such as digging in-depth information with external partners about cyber security and ITG, increasing the depth of information between internal auditors and cyber security management.
In addition, future research also needs to add several other variables, including variables to measure professional perceptions about information security, risk management variables to improve the effectiveness of information security management and ITG comprehensively.
Internal auditor variable who is an expert plays a role as a substitute for the board of directors if there is no board of directors mastering cyber security auditing in ITG.
Therefore, he relatively new cyber security audit themes can run dynamically according to developments in IoT and artificial intelligence (AI).
REFERENCES