Definitions[edit | edit source]
General[edit | edit source]
An audit is
|“||a detailed examination conducted by people external to the business unit to assess controls, measure performance and compliance, identify gaps, and make recommendations.||”|
|“||[an i]ndependent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures.||”|
Security[edit | edit source]
An audit is an
|“||[i]ndependent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies or procedures.||”|
U.S. copyright law[edit | edit source]
An audit is
|“||a royalty compliance examination to verify the accuracy of royalty payments, or the conduct of such an examination, as applicable.||”|
Overview[edit | edit source]
Most common forms of audits are compliance, operational, or vulnerability. An audit may be carried out by internal or external groups.
Integrated, dynamic auditing systems not only record information, but also act to restrict use or to alert security personnel when possible safeguard violations occur — not just violations from intruders but also from insiders. One feature might alert security personnel if users are accessing certain files after hours or if a user (or possible intruder) repeatedly but unsuccessfully attempts to access a certain computer]. The security officer might then closely monitor the user actions to determine what further actions should be taken (simply denying access might alert an intruder to use a more reliable or more covert method, confounding the security staff). Some sophisticated systems use expert systems that "learn" users' behavior.
Contract clause[edit | edit source]
An audit clause
|“||gives the data owner the ability to perform physical audits of the vendor's data storage facility and related controls. These clauses also might outline the vendor's responsibility for having a third-party test of the vendor's controls.||”|
References[edit | edit source]
- Information Management and Information Protection Glossary of Terms.
- CNSSI 4009-2015
- CNSSI 4009, at 8; NIST Special Publication 800-32.
- 17 U.S.C. §115(e)(4).
- Report on Cybersecurity Practices, at 28.
See also[edit | edit source]
- Account audit
- Audit and Accountability
- Audit and monitoring control
- Audit charter
- Audit data
- Audit file
- Audit of Information Technology (IT) Security
- Audit plan
- Audit policy
- Audit program
- Audit report
- Audit review
- Audit trail
- Auditing Using Microtechnology
- Federal Audit Executive Council
- Generally Accepted Auditing Standards
- Internal audit
- Performance audit
- Privacy-impact audit
- Security audit
- Standards audit