It is a question I hear occasionally. Sometimes, I hear some confusions about their roles. Sometimes, some thinks that one is subordinate to another or one department is more important than the other one.

I associate the IT Security department to the Police Department, and IT Audit department to the Intelligence Service.

If an accounted was killed in the metro station in the middle of night, it is an important “event” for the police department that they will certainly deal with it. However, the Intelligence Service will complete ignore it. Even if two hundred people were killed there, they will likely to ignore it as well. Similarly, if a computer virus was detected on user computers, it is an investigation point for IT Security Department, but IT Audit will ignore this individual case.

If the British Consulate hosts for a dinner in the capital city of your country, the police department will likely not even know –also doesn’t care- about that, however, the Intelligence Service will likely to send a bunch of “officers” to that event. Similarly, if department managers don’t monitor their subordinates’ access rights regularly, IT Security will not know/care about that. However, it is a malfunctioning control and the audit department will certainly interested on that.

Therefore, the answer is that no one is more important than the other one, they have different goals and different kind of interests, and they cannot replace with each other.