Security auditing is not very appreciated process within any organization due to the fact that someone external is going to check already hired individuals and their skills. It may be a bit difficult to explain why security is so important and why certain mechanisms should be implemented especially for non-technical management. On the other hand some businesses can appreciate the benefits from security auditing for in result many weaknesses are identified and countered or advise on better software or hardware is given to save that organization’s money.
The mechanism for security audit is hardly ever standard due to difference of environment between companies. Techniques such as interviews, vulnerability scans and observation/analyses are steps undertaken by security auditor. Often the companies’ security policies and procedures need to be analysed not only to check if there is lack of consistency within those documents but also to base the analyses and mechanism of auditing on these policies. CAAT’s (Computer-Assigned audit Technologies) are utilities to generate system reports that store all the logs and configuration files and sometimes even monitor activities. I think that it’s very useful as the information can be very well formatted and display to an auditor without him going into specific directories/volumes or configuration files to get the information needed. Some of these tools actually have programmed patterns of for instance default configuration files which are being matched to the tested system configuration files and it flags the auditor when positive.
Considering auditor role as an investigator there are certain areas that are need to be checked for instance the way the passwords are generated or the way backups are stored often by asking all sorts of questions based on the auditors experience. I think the very important issue to observe is that some companies have got their own internal auditors/security consultant/officers which can help however to gain objective system audit an external auditor is a must. In many companies that is a way to check how the IT Department is developing and progressing. External auditor will produce the report on their achieved goals and aims for the next audit. That is normally the formal report produced few weeks after the audit takes place. Some institutions like Higher education or some government bodies have a law that impose to make sure that externals audits are up to date and consistently maintained.
John Edwards. (2008). The Essential Guide to Security Audits. Available: http://www.itsecurity.com/features/security-audit-essentials-042908/