This paper explores whether IT and audit professionals have different perceptions of the substantive and symbolic perspectives of information security assurance and the role of security configuration management (SCM) using a mixture of qualitative and quantitative approaches. Importance...