Audits and Assessments – CompTIA Security+ SY0-701 – 5.5

There are many good reasons to perform ongoing technology audits. In this video, you’ll learn about internal audits, external audits, and more.


The term “audit” often has a negative connotation, but there can be very good reasons for running an audit, especially in the context of IT security. A cybersecurity audit allows us to examine many aspects of our computing environment. For example, we can examine the IT infrastructure, the software that we’re using, and all of the devices that are used to communicate over our network. We might also want to look through our existing policies and procedures and make sure that we are properly protected against today’s modern threats.

An audit can also sometimes find vulnerabilities in our network before the hackers find them, effectively making us much safer. And this can always be something that we could perform internally, but we might even want to bring in a third party for a thorough overview.

You’ll often hear the terms “audit” and “attestation” used in conjunction with each other. The attestation is an opinion of truth that is associated with the results of an audit. We’ll commonly perform an audit, and then we will attest to the results of that audit.

You don’t necessarily need to bring in a third party to perform an audit. Audits can be done internally within your own organization. Your internal audit might answer questions that you have about compliance and making sure that all of the compliance tasks in your organization are followed properly. Your organization might also have an audit committee. This is commonly a group that is responsible for all of the risk management associated with an organization, and an audit committee is the one that is both starting and stopping any internal audits.

These audits often start with a self-assessment. This allows an organization to look at their internal processes and procedures and see how well they match the requirements for the organization. The audit committee can then compile all of these self-assessments together to get an idea of where the organization might be as it relates to compliance.

Some compliance regulations require that a third party perform the audit. In that case, we’ll bring in an external group to be able to perform all of the functions of that particular oversight. The details about the type of audit that takes place and how often the audit takes place is usually based on the requirements of the regulation.

This usually involves finding desks for a third-party auditor to come into your organization and begin looking through your records. They might then compile information and gather additional details about the specifics associated with this audit. The results of this audit would commonly show where the company is today with their compliance and where there may be room for improvement in the future.