A security audit is a systematic and comprehensive evaluation of an organization's information security program. The purpose of a security audit is to identify vulnerabilities, assess risk, and make recommendations for improvement.

This security audit template includes three different samples that outline the steps involved in conducting a security audit of an organization's information security program. Sample 1 evaluates the effectiveness of the organization's policies, procedures, and controls in protecting its information assets; Sample 2 identifies and prioritizes security risks within the IT environment; and Sample 3 focuses on the effectiveness of access control policies and procedures as they relate to authentication and access controls.

The objectives and procedures in these work programs are divided into Tier I and Tier II. Tier I assesses an institution’s process for identifying and managing risks, while tier II provides additional verification where risk warrants it. Tier I and Tier II are intended to be a tool set examiners can use when selecting examination procedures for their particular examination.