What is a security audit?

A security audit is a systematic, independent evaluation of an organization's security posture — assessing policies, procedures, controls, and technical configurations against security standards and best practices. Types: Internal audit: conducted by the organization's own security team. External audit: conducted by an independent third party (more objective). Compliance audit: verifies compliance with standards like PCI-DSS, HIPAA, SOC 2, ISO 27001, GDPR. Areas covered: access controls, patch management, network security, data protection, incident response plans, employee awareness, physical security, and vendor risk. Audits produce a report with findings, gaps, and recommendations. Regular audits (annually or after major changes) are required by many compliance frameworks. Audits are distinct from penetration tests (audits evaluate controls; pen tests try to break them).