Security Audit


A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments, Computer-assisted audit techniques (CAATs), include system generated audit reports or using software to monitor and report changes to files and settings on a system. Systems can include personal computers, servers, mainframes, network routers, switches. Applications can include Web Services, Microsoft Project Central, Oracle Database. (examples only).

Generally, computer security audits are performed by:

  1. Federal or State Regulators – Certified accountants, CISA. Federal OTS, OCC, DOJ, etc.
  2. Corporate Internal Auditors – Certificated accountants, CISA
  3. External Auditors – Specialized in the areas related to technology auditing
  4. Consultants – Outsourcing the technology auditing where the organization lacks the specialized skill set

CIPL has the right to do security audit and also has done some audits in some firms.