At its root, an IT security audit includes two different assessments. The manual assessment occurs when an internal or external IT security auditor interviews employees, reviews access controls, analyzes physical access to hardware, and performs vulnerability scans. These reviews should occur, at a minimum, annually. Some organizations, however, prefer to do them more frequently.
Organizations should also review system-generated reports. Automated assessments not only incorporate that data, but also respond to software monitoring reports and changes to server and file settings.
IT security auditors provide a variety of functions. They review an organization’s operations, financial reporting, and compliance. While these areas seem segregated, the three intersect in several places.