Security audit is part of the duties of compliance auditor. Compliance auditing is all about reviews of business operations to ensure that laid down rules and regulations are followed. Company’s nature of business determines the level of compliance that would be sought. Companies have security policies and procedures in place that will guarantee the safety of company’s assets. Quality auditing and fraud auditing are closely related to security auditing.

Quality auditing is designed to ensure that standards for quality controls are met. Fraud audits are calculated efforts by internal auditors on the prevention, detection and deterrence of financial statements arising from asset misappropriation. In doing this, auditors should be aware of the risks and warning signs of fraud.

Many auditors are employed today to act as compliance auditors in different categories and levels. Security audit happens to be an area that gives growing concern to stakeholders both in business and government owned entities.

What I will be sharing with you today is my years of experience in the field of security audit. So, sit back and enjoy!


Identify what assets need to be protected: the first thing that needs to be done in any security audit is to identify the assets that need to be secured. Skipping this step is just like one going to war without taking out time to find out about his or her enemies. You will be better positioned to fight in a battle and possibly win the battle if you have good information about your enemy. Security audit cannot be carried out on every asset that a business has. There are assets that do not require to be secured. Spending scarce resource to protect these assets will be tantamount to spending $5 in order to protect an asset that is worth $1. Except access to that asset can lead to other more valuable asset, securing it is not economically viable.

Review control plans/activities of the company: companies drafts out control plans or actions that will be taken to ensure that the company’s objectives are met. Auditors acting as compliance auditors should evaluate these control plans in the light of prevailing circumstance to see if they are adequate to achieve result.

Test of procedures and policies: this can sometimes be called red hat team. This process suggests that group of security professionals be employed to launch attack on company’s information systems to see if they can beat any or all of the security measures. Many accounting firms that contract security services on behalf of their clients use this method to test the reasonableness of their security procedures and strategies. Though people used to frown at this method of testing a system but, it has finally gain its way into the heart of many accountants.

Compare actual results with expected results: since it is the objective of the management to protect company’s assets via reliable internal controls and internal audits, security auditors should compare the control objectives with the actual results on ground. Where managers assert that there is proper segregation of duties, compliance auditors should review processes to tell if this is actually followed.

Make recommendations to management: it is required of compliance auditors to report findings of their security audits to the relevant authority and then make recommendations and suggestions that can either be implemented by the managers or not.

Security audit is the back bone of internal control and internal control systems. Every auditor that is forward looking should hone their skills on security audit.

Go and be successful!