| A security audit is a structured review of your business IT systems, controls, policies, and data handling practices to identify weaknesses, verify protections, and confirm compliance with relevant security standards and regulations. |
Most business owners only think about a security audit after something has gone wrong. By then, the cost of the incident is already being counted, and the questions from insurers, customers, and staff are stacking up.
A planned audit flips that order. It gives you a clear, evidence-based view of where your defences hold and where they fall short before anyone else tests them for you. This guide explains what a security audit covers, how it differs from other security reviews, how often to run one, and what to do with the findings.
The detail matters because a poorly scoped review gives false confidence, while a well-run one becomes a roadmap for the next year of security investment.
What Is a Security Audit?
A security audit is a structured assessment of how well your IT environment is protected against threats, misuse, and accidental loss. It compares your actual setup against a defined standard, usually a recognised security framework or your own internal security policy.
The exercise is broader than a vulnerability scan and more formal than a casual internal review. Auditors look at technology, processes, and people, not just systems. They check whether documented policies are actually being followed in day-to-day operations, or whether they exist only on paper.
The output is a report. The report tells you what is working, what is not, and what needs attention first. Without that structure, security spending becomes a guessing game driven by whichever vendor sent the most recent email.
How a security audit differs from a vulnerability scan
A vulnerability scan is automated. It runs a tool against your systems and produces a list of technical weaknesses, ranked by severity. A security audit includes vulnerability scanning but goes further by reviewing policies, access controls, configurations, third-party connections, and staff practices.
A scan answers, what holes exist in our software. An audit answers, are we actually managing security properly across the whole business.
How a security audit differs from a penetration test
A penetration test simulates an attack. Testers try to break in using the same techniques as a real adversary. An audit reviews the controls that should stop those attacks in the first place.
Both have value, and they complement each other. A penetration test shows what an attacker could do today. An audit shows whether your overall security programme is built on solid ground.
What Does a Security Audit Cover?
A complete security audit covers six core areas: access controls, patching and software currency, backup and recovery, network and endpoint protection, data handling, and staff practices. Each area is reviewed against a defined standard, with evidence collected to support every finding.
The depth in each area depends on scope. A focused review may zoom in on one domain such as cloud access, while a comprehensive one covers the lot. For most NZ small and medium businesses, a full audit run every 12 months is the right cadence.
Access controls and identity
The auditor reviews who has access to what, how access is granted and removed, and whether multi-factor authentication is enforced. Administrative accounts get particular attention because they are the highest-value targets in any environment.
Common findings here include former staff still holding active accounts, shared admin passwords, and overprovisioned access where users have more rights than their role requires.
Patching and software currency
This part of the audit confirms that operating systems, business applications, browsers, and firmware are being updated on a defined schedule. Auditors look for evidence, not just verbal assurance, that patches are tested and deployed within agreed timeframes.
Unpatched software remains one of the most common entry points in real incidents, so this section often produces the most urgent findings.
Backup and recovery
Backups are reviewed for coverage, frequency, retention, encryption, and offsite or immutable storage. Crucially, the auditor checks whether backups have been tested with a real restore, not just whether the backup job reported success. A backup that has never been restored is not really a backup. This is a data backup strategy question as much as a security one.
Network and endpoint security
The auditor examines firewalls, network segmentation, wireless configuration, remote access, and endpoint protection across laptops, desktops, and servers. This is where layered defence shows its value and where shortcuts come back to bite the business.
Protective tools are confirmed to be actively running, alerting, and being monitored, not just installed and forgotten on the day they were rolled out.
Data handling and staff practices
How sensitive data is collected, stored, shared, and disposed of is reviewed against legal and contractual requirements. For NZ businesses, the Privacy Act 2020 is the baseline. Staff practices are checked through interviews, sample reviews of activity, and a look at training records. Weak employee security awareness remains the single biggest source of real incidents, so this section often drives the most useful changes.
Why Every Business Needs a Security Audit
Every business needs a security audit because confidence is not the same as evidence. Without one, you only find out your controls are weak when an attacker, a customer, or an insurer tests them, and by then the cost of being wrong is much higher than the cost of an audit.
The pressure to run one has grown sharply in the last three years. Insurers ask for proof. Customers ask for proof. Regulators ask for proof. Without current findings on hand, those conversations get awkward quickly.
Insurance and compliance requirements
Cyber insurance underwriters now ask detailed questions about controls before quoting or renewing. Many policies require a recent security audit or equivalent assessment as a condition of cover, and renewal premiums often hinge on the answers.
Industry regulators, particularly in finance, healthcare, and professional services, also expect documented audits. Without them, demonstrating compliance becomes a paperwork exercise based on hope rather than fact.
Customer and contract pressure
Large customers increasingly request an audit summary before signing a new contract or renewing a significant one. Government tenders almost always require evidence of a structured security programme.
A recent audit gives you something concrete to share, which shortens procurement conversations and protects deals from stalling on due diligence.
Avoiding the cost of an incident
A serious incident usually carries a recovery cost well beyond the price of any audit. Lost productivity, customer notifications, regulatory engagement, and reputational damage compound quickly.
An audit is a small fraction of that figure and tends to find the issues that would otherwise be exploited. Treating it as insurance is the right frame: you pay a known cost to avoid a much larger and unpredictable one.
How a Security Audit Works
A security audit works in four phases: planning and scoping, evidence collection, analysis, and reporting. Each phase produces specific outputs, and the quality of the final report depends entirely on the rigour of the earlier phases.
Most audits for small and medium businesses take between one and four weeks from kickoff to final report. The on-site or remote evidence-gathering portion is shorter than the analysis and reporting phase.
Planning and scoping
The audit begins with a clear scope. The auditor and the business agree on which systems, sites, and processes are in scope, which framework will be used, and what level of evidence is required. A common mistake is scope creep, where the audit tries to cover too much and ends up covering nothing properly. A tight scope produces sharper findings.
Evidence collection
The auditor reviews documents, runs technical scans, examines system configurations, and interviews relevant staff. Evidence is recorded so every finding can be traced back to a source. This phase usually includes a focused cybersecurity risk assessment of the most material threats facing the business, so findings are prioritised by real risk rather than generic severity ratings.
Reporting and remediation
The final report rates each finding by severity, explains what it means in plain language, and recommends action. A good audit report is written for both technical and business audiences, so leadership can make funding decisions while IT can act on the detail.
The report should include a remediation roadmap with realistic timeframes, not just a list of problems. Findings without a plan rarely get fixed.
Internal vs External Security Audit
An external security audit, run by an independent provider, is almost always more credible than an internal one. Independence reduces the risk of blind spots and self-serving conclusions, which matters for insurers, customers, and regulators.
An internal review still has a role, particularly for ongoing monitoring between formal external audits. The two approaches work well together when used deliberately rather than interchangeably.
When internal makes sense
Internal audits are useful for quarterly check-ins, verifying that previous findings have been closed, and reviewing day-to-day controls. They are cheap, fast, and keep security visible inside the team. The limitation is independence. Internal staff may unconsciously rate their own work more generously than an outsider would, and they often miss issues they have learnt to live with.
Why external is usually better
An external audit brings fresh eyes, sector benchmarking, and the independence that satisfies insurers and customers. External auditors also see issues that internal teams have stopped noticing. For most NZ businesses, the right pattern is an external review every 12 to 24 months, with internal checks in the months between.
How Often Should You Run a Security Audit?
A full security audit should be run every 12 months for most businesses, with lighter internal reviews quarterly. High-risk sectors like finance, healthcare, and legal practice may benefit from a six-monthly cycle, particularly when customer or regulatory pressure is high.
An audit is also triggered by specific events, not just the calendar. Treating those triggers seriously avoids the trap of making decisions on stale evidence.
Triggers for an unscheduled review
Significant infrastructure change, a recent incident or near miss, a new compliance obligation, or the start of a major customer contract all warrant a fresh look. Major staff changes, particularly in IT or finance leadership, are another common trigger.
An audit that is three years old is essentially a museum piece. The threat landscape moves too quickly for that interval to remain useful.
What Happens After a Security Audit?
After a security audit, the findings are turned into a prioritised remediation plan, ownership is assigned for each item, and progress is tracked against agreed timeframes. The work only delivers value when the report is acted on, not when it is filed.
This is where a strong working relationship with your IT partner matters. The remediation plan is usually a mix of quick fixes, configuration changes, policy updates, and new investments. Without clear ownership, even an excellent report gathers dust.
Building a remediation plan
A good remediation plan groups findings into immediate, near-term, and longer-term actions. Critical findings get fixed within days. High and medium findings sit in a 30 to 90-day plan. Low findings join the next budget cycle. The plan should align with your broader IT strategy so security investment is not made in isolation from the rest of the technology roadmap.
Closing the loop
Closing the loop means verifying that each remediation has been completed and is actually working as intended. A follow-up review three to six months after the audit confirms whether changes have stuck or whether old habits have crept back in.
Without verification, findings get quietly reclassified as fixed when in reality the underlying issue is still present. That is the worst of both worlds, the audit cost without the audit benefit.
Make Your Next Security Audit Count
Exodesk has been helping Christchurch, Dunedin, and South Island businesses run practical, no-nonsense security audits and stay ahead of evolving threats since 1989. Our Cyber Security team focuses on findings you can act on, not 200-page reports that nobody reads.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions
What is a security audit?
A security audit is a structured review of your business IT systems, controls, policies, and data handling practices to identify risks and verify protections. It produces a report with prioritised findings and recommended actions. The goal is to give leadership evidence-based confidence in the business’s security posture rather than a feeling that things are probably fine.
How long does a security audit take?
A typical audit for a New Zealand small or medium business takes between one and four weeks from kickoff to final report. The evidence-gathering portion is usually one to two weeks, with the remainder spent on analysis and reporting. Larger or multi-site businesses may need six to eight weeks for a comprehensive review.
How much does a security audit cost?
The cost varies with scope, business size, and depth of evidence required. Speak to your IT partner for a tailored quote based on your environment, industry, and compliance obligations. As a rough rule, a comprehensive external audit costs a small fraction of the cost of a serious incident, which is why insurers and customers increasingly expect to see one.
How often should a business run a security audit?
Most businesses should run a full review every 12 months, with lighter internal checks quarterly. High-risk sectors like finance, healthcare, and legal practice may benefit from a six-monthly cycle. An additional audit is also warranted after major infrastructure changes, a recent incident, or the start of a significant new customer contract.
What is the difference between a security audit and a penetration test?
An audit reviews controls, policies, and configurations against a defined standard, while a penetration test simulates a real-world attack to see what can actually be exploited. Audits provide breadth, pen tests provide depth, and the two are complementary. Most mature security programmes use both at different points in the year.
Who should perform a security audit?
It is most credible when performed by an independent external provider, such as a managed IT and cyber security specialist. Internal reviews have value for ongoing checks between formal audits, but external assessments satisfy insurer, customer, and regulator expectations. Independence is the key requirement, because internal teams often cannot see their own blind spots.
Is a security audit required for NZ Privacy Act compliance?
The NZ Privacy Act 2020 does not explicitly require one, but it does require reasonable security safeguards proportionate to the sensitivity of personal information held. A documented assessment is one of the strongest ways to demonstrate that those safeguards have been reviewed and applied. Many regulators, insurers, and large customers now treat a recent audit as a baseline expectation.
What frameworks are commonly used in a security audit?
Common frameworks used in NZ include the CIS Critical Security Controls, the NIST Cybersecurity Framework, ISO 27001, and the NZISM for businesses serving government. Smaller businesses often use the CIS Top 18 controls as a practical baseline. The right framework depends on industry, customer expectations, and any regulatory obligations the business is already operating under.
What happens if a security audit finds critical issues?
Critical findings are addressed first, usually within days of the report being delivered. The auditor and IT team work together on immediate containment, followed by a longer-term fix. Leadership is informed so that resourcing and budget decisions can be made quickly, and any insurance or notification obligations are reviewed at the same time.
Can a security audit guarantee my business will not be breached?
No audit can guarantee a business will not be breached, because no defence is perfect and the threat landscape changes constantly. What it does is significantly reduce the likelihood and impact of an incident by closing known gaps. It also provides evidence that reasonable steps have been taken, which matters for insurance claims, regulatory engagement, and customer trust if something does go wrong.
