0xnhl

Back

Security Audits

Created: 1/12/2026 Updated: 1/12/2026
#cybersec#grc#gcpc

Security audits#

A security audit is a review of an organization’s security controls, policies, and procedures against a set of expectations.
Two main types of security audits: external and internal.

Internal Audit#

An internal security audit is typically conducted by a team of people that might include an organization’s compliance officer, security manager, and other security team members. Internal security audits are used to help improve an organization’s security posture and help organizations avoid fines from governing agencies due to a lack of compliance.
Internal security audits help security teams identify organizational risk, assess controls, and correct compliance issues.
Common elements of internal audits:

  • establishing the scope and goals of the audits
  • conducting a risk assessment of the organization’s assets
  • completing a controls assessment
  • assessing compliance
  • communicating results to stakeholders.

Scope refers to the specific criteria of an internal security audit.
Goals are an outline of the organization’s security objectives, or what they want to achieve in order to improve their security posture.

Auditing account privileges#

Usage audits#

When conducting a usage audit, the security team will review which resources each account is accessing and what the user is doing with the resource. Usage audits can help determine whether users are acting in accordance with an organization’s security policies. They can also help identify whether a user has permissions that can be revoked because they are no longer being used.

Privilege audits#

Users tend to accumulate more access privileges than they need over time, an issue known as privilege creep. This might occur if an employee receives a promotion or switches teams and their job duties change. Privilege audits assess whether a user’s role is in alignment with the resources they have access to.

Account change audits#

Account directory services keep records and logs associated with each user. Changes to an account are usually saved and can be used to audit the directory for suspicious activity, like multiple attempts to change an account password. Performing account change audits helps to ensure that all account changes are made by authorized users.