Skip to content

Annual Security Audit Checklist

Document Version: 1.0 Date: November 11, 2025 Audit Period: 2025 Prepared For: Acme Corp Audit Type: Internal Security Audit / Compliance Review

Executive Summary

This Annual Security Audit Checklist provides a comprehensive framework for conducting security audits based on Acme Corp's policy framework. Use this checklist to verify compliance with security policies, identify gaps, and ensure continuous improvement of the information security program.

Audit Scope: - Policy compliance verification - Technical control effectiveness - Security awareness and training - Access control management - Incident response capabilities - Disaster recovery readiness - Vendor security management - Regulatory compliance (HIPAA, SOC 2, etc.)

Recommended Audit Frequency: - Full comprehensive audit: Annual - Targeted audits: Quarterly - Continuous monitoring: Ongoing

Table of Contents

  1. Access Control and Identity Management
  2. Authentication and Password Management
  3. Security Awareness and Training
  4. Incident Response and Management
  5. Data Protection and Privacy
  6. Endpoint and Mobile Device Security
  7. System Monitoring and Logging
  8. Change Management
  9. Backup and Disaster Recovery
  10. Vendor and Third-Party Management
  11. Physical Security
  12. Acceptable Use and Code of Conduct
  13. Compliance and Documentation

1. Access Control and Identity Management

Policy Reference: SEC-002: Access Control and Authorization Policy

1.1 User Access Provisioning

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Access requests require manager approval Review sample of 10-20 access requests from past quarter Access request tickets with approval records
Business justification documented for access requests Review access request documentation Access request forms with justification
Access provisioned within 1 business day SLA Calculate avg time from approval to provisioning Ticket timestamps and provisioning logs
Minimum necessary access granted (least privilege) Review sample user accounts vs. job requirements Access control matrices, user permissions
New users complete training before receiving full access Cross-reference onboarding records with access grants Training completion + access grant dates

1.2 User Access Reviews

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Quarterly access reviews conducted for all users Verify 4 access reviews completed in past year Access review reports (Q1, Q2, Q3, Q4)
Monthly reviews conducted for privileged accounts Verify 12 privileged access reviews in past year Privileged account review reports
Managers certify team member access is appropriate Review certification records Manager certifications/sign-offs
Inappropriate access removed within 5 business days Review remediation records from access reviews Remediation tickets and completion dates
Access review completion rate ≥ 95% Calculate completion percentage Access review tracking/completion logs
Access review findings tracked and remediated Review findings log and remediation status Access review findings + remediation records

1.3 User Access Termination

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Terminated user access disabled on last working day (voluntary) Review sample of 10 voluntary terminations Termination date + access disable timestamp
Terminated user access disabled immediately (involuntary) Review sample of involuntary terminations Termination notification + access disable time
All systems included in offboarding (email, apps, VPN, etc.) Review offboarding checklist completion Completed offboarding checklists
Equipment retrieved from terminated employees Verify equipment return records Asset return receipts/logs
Offboarding SLA: 100% within required timeframe Calculate % meeting SLA Offboarding completion metrics
Monthly audit of recently offboarded accounts Verify monthly post-termination audits conducted Post-termination audit reports

1.4 Privileged Access Management

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Separate administrative accounts from standard accounts Review privileged user list Admin accounts list + standard accounts
Privileged accounts used only when elevated access required Review admin account usage logs Admin account activity logs
Enhanced monitoring enabled for privileged activities Verify monitoring configuration Monitoring config + privileged activity logs
Annual background checks for privileged users (if applicable) Review background check records Background check documentation
Service account passwords stored in secure vault Verify service account credential storage Password vault access logs + inventory

2. Authentication and Password Management

Policy Reference: SEC-003: Password and Authentication Policy

2.1 Password Requirements

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Password policy enforces minimum 12 characters (16 for admin) Review password policy configuration Password policy settings screenshot
Password complexity requirements enforced Test password creation with weak passwords Password policy enforcement test results
Password history prevents reuse of last 5 passwords Test password change with previous password Password history configuration
Password expiration: 90 days standard, 60 days admin Review password age reports Password expiration report
Account lockout after 5 failed attempts within 15 minutes Test account lockout functionality Lockout policy configuration + test results

2.2 Multi-Factor Authentication (MFA)

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
MFA required for all Google Workspace accounts Generate MFA enrollment report MFA enrollment compliance report (target: 100%)
MFA required for administrative accounts on non-SSO systems Review admin accounts for MFA Admin account MFA status
MFA required for systems with sensitive data (PHI) Review MFA configuration on critical systems System MFA requirements documentation
MFA enrollment tracked and enforced Review MFA compliance tracking MFA compliance reports and enforcement

2.3 Single Sign-On (SSO)

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Google Workspace SSO is primary authentication method Review application authentication methods Application authentication inventory
New applications integrate with SSO where feasible Review new app onboarding records App integration documentation
Non-SSO systems documented with justification Review shadow IT inventory Non-SSO systems list + exceptions
Context-aware access policies configured Review context-aware access settings Google Workspace access policy config

3. Security Awareness and Training

Policy Reference: HR-001: Employee IT Training and Awareness Policy

3.1 New Hire Training

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
New hire IT orientation completed within first week Review onboarding records for past year New hire training completion dates
Security awareness training completed before full access Cross-reference training dates with access grants Training completion + access provisioning dates
Training completion tracked and documented Review training tracking system Training completion records
Training certificates stored in employee records Verify certificate storage Sample employee files with certificates

3.2 Annual Security Training

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Annual security awareness training assigned to all employees Verify training assignment records Training assignment list (100% of employees)
Training completion deadline: March 31st annually Review completion dates Training completion dates report
Training completion rate: Target 100% Calculate completion percentage Training compliance report
Escalation process for non-compliance Review escalation records Non-compliance escalation documentation
Access restrictions for non-compliant employees (if applicable) Review enforcement actions Access restriction records

3.3 Phishing Simulations

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Quarterly phishing simulations conducted Verify 4 campaigns in past year Phishing simulation campaign reports
Click rates tracked and reported Review phishing metrics Click rate reports by campaign
Users who fail receive immediate micro-training Verify remedial training assignment Failed user training records
Target click rate: < 5% Calculate average click rate Phishing simulation trend analysis
Metrics reported to leadership Review leadership reports Executive dashboard/reports on phishing

3.4 Role-Specific Training

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Privileged users complete specialized training Review training records for admin users Admin user training completion records
Role-based training assigned appropriately Review role-based training assignments Training assignment by role
Refresher training annually or upon role change Verify refresher training schedule adherence Refresher training completion dates

4. Incident Response and Management

Policy Reference: SEC-004: Incident Response and Reporting Policy

4.1 Incident Reporting

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Incident reporting channels available and publicized Verify reporting contact information posted Screenshots of reporting channels
Critical incidents (P1) reported within 15 minutes Review sample of P1 incidents Incident discovery + report timestamps
High incidents (P2) reported within 1 hour Review sample of P2 incidents Incident timestamps
Medium/Low incidents (P3/P4) reported within 4 hours Review sample of lower severity incidents Incident timestamps
All incidents logged in tracking system Verify incident tracking system usage Incident ticket system reports

4.2 Incident Response Procedures

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Incidents classified by severity (P1-P4) Review incident classification consistency Incident classification documentation
Incident response team roster current and accurate Review team roster Incident response team contact list
Response procedures documented for each severity level Review incident response playbooks Response procedure documentation
Containment actions taken to limit damage Review incident response records Containment action documentation
Eradication procedures followed to remove threats Review incident resolution documentation Eradication and remediation records

4.3 Post-Incident Activities

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Post-incident reviews conducted for P1/P2 incidents Verify PIR completion for critical incidents Post-incident review reports
Lessons learned documented Review PIR documentation Lessons learned documentation
Policy and procedure updates based on incidents Review policy update log Policy changes from incident learnings
Corrective actions tracked to completion Review corrective action tracking Corrective action items and status
Incident metrics reported to leadership Review leadership reporting Incident summary reports/dashboards

4.4 Incident Response Testing

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Incident response drills conducted annually (minimum) Review test/drill records IR drill documentation and results
Tabletop exercises or simulations performed Review exercise records Tabletop exercise scenarios and outcomes
Drill findings documented and addressed Review drill after-action reports Drill findings and remediation

5. Data Protection and Privacy

Policy Reference: PRIV-001: Data Privacy and Security Policy

5.1 Data Classification

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Data classification schema documented (Public, Internal, Confidential, Restricted) Review classification documentation Data classification policy
Employees trained on data classification Review training records Data classification training completion
Data owners assigned for critical data sets Review data ownership documentation Data ownership matrix
Classification labeling procedures in place (if applicable) Review labeling implementation Labeling procedures and examples

5.2 Data Encryption

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Data encrypted at rest (AES-256 or equivalent) Review encryption configuration Encryption settings/configuration
Data encrypted in transit (TLS 1.2+) Review TLS configuration TLS configuration and certificate info
Backups encrypted Verify backup encryption Backup encryption configuration
Mobile devices encrypted Review MDM encryption compliance Device encryption compliance report
Encryption keys managed securely Review key management practices Key management documentation

5.3 Data Access Controls

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Access to sensitive data limited to authorized users Review sensitive data access controls Access control lists for sensitive data
Data owner approval required for sensitive data access Review access approval records Data owner approval documentation
Access logs maintained for sensitive data access Verify logging configuration Data access audit logs
Regular reviews of sensitive data access Review audit records Sensitive data access review reports

5.4 Data Retention and Disposal

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Data retention schedules documented Review retention policy Data retention schedule documentation
Automated data deletion processes configured Verify automation configuration Automated deletion configuration
Data sanitization procedures documented Review sanitization methodology Data sanitization procedures (NIST 800-88)
Equipment sanitization upon disposal Review equipment disposal records Sanitization certificates/logs

6. Endpoint and Mobile Device Security

Policy Reference: SEC-005: Remote Work and Mobile Device Management

6.1 Mobile Device Management (MDM)

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
MDM solution deployed for company-issued devices Verify MDM deployment MDM enrollment statistics
Device enrollment required before accessing company data Review enrollment enforcement MDM enrollment compliance report
Lost/stolen device remote wipe capability enabled Test remote wipe functionality Remote wipe capability documentation
Device compliance policies configured and enforced Review compliance policy configuration MDM policy settings

6.2 Endpoint Security

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Endpoint protection (antivirus/EDR) deployed on all devices Generate endpoint protection coverage report Endpoint security deployment report (target: 100%)
Endpoint protection signatures/definitions up to date Review signature update compliance Signature update status report
Malware detection and quarantine functioning Review malware detection logs Malware detection and remediation logs
Firewall enabled on all endpoints Review firewall status Endpoint firewall compliance report

6.3 Patch Management

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Operating system patches deployed timely Review patch deployment reports OS patch compliance report
Application patches deployed timely Review application patching Application patch status
Critical security patches deployed within [X days] Calculate patch deployment time Critical patch deployment timeline
Patch deployment testing conducted Review patch testing procedures Patch testing documentation

7. System Monitoring and Logging

Policy Reference: OPS-010: System Monitoring and Performance Management Policy

7.1 Security Monitoring

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Security monitoring and alerting configured Review monitoring configuration Monitoring system configuration
Failed login attempts monitored and alerted Verify failed login alerting Failed login alert configuration + samples
Privileged access activity monitored Review privileged activity logs Privileged access monitoring logs
Security events logged and retained Verify logging configuration and retention Log retention configuration
Logs retained for minimum [1 year] Review log retention settings Log retention policy compliance

7.2 Log Review and Analysis

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Security logs reviewed regularly Review log review procedures Log review documentation/schedule
Automated alerting for critical security events Verify alert configuration Alert rules and thresholds
Alerts investigated and documented Review alert response records Alert investigation tickets
Log analysis tools configured and operational Review SIEM/log analysis tool status Log analysis tool configuration

7.3 Performance Monitoring

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
System performance monitored Review monitoring dashboards Performance monitoring configuration
Capacity monitoring and alerting configured Verify capacity alerts Capacity threshold configuration
Availability monitoring operational Review uptime monitoring Availability monitoring reports
Performance issues tracked and resolved Review performance issue tickets Performance incident records

8. Change Management

Policy Reference: OPS-004: Change Management Policy

8.1 Change Request and Approval

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
All changes submitted through formal process Review change ticket system Change request tickets
Business justification documented for changes Review change documentation Change justifications
Risk assessment conducted for changes Review change risk assessments Risk assessment documentation
Appropriate approval obtained before implementation Review approval records Change approval documentation
Emergency change procedures documented and followed Review emergency change records Emergency change documentation

8.2 Change Implementation

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Testing performed before production implementation Review test documentation Change testing records
Rollback plan documented for each change Review change documentation Rollback plans
Change communications sent to affected users Review change communications Communication records
Implementation window scheduled Review change calendar Change schedule documentation

8.3 Post-Implementation

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Post-implementation verification performed Review verification documentation Post-change verification records
Change success/failure documented Review change closure documentation Change outcome documentation
Post-implementation review conducted Review PIR documentation Post-implementation review reports
Lessons learned captured Review lessons learned documentation Lessons learned from changes

9. Backup and Disaster Recovery

Policy Reference: OPS-001: Backup and Disaster Recovery Policy

9.1 Backup Procedures

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Daily backups performed for critical systems Review backup logs for past 90 days Daily backup completion logs
Backup success rate ≥ 99.9% Calculate backup success percentage Backup metrics report
Backup failures alerted and investigated Review backup failure alerts Backup failure alert logs and investigations
Backups encrypted Verify backup encryption Backup encryption configuration
Backups stored offsite (separate region) Verify backup storage location Backup storage configuration

9.2 Backup Verification

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Monthly backup restoration tests conducted Review test records for past year Backup restoration test results (12 months)
Random data samples restored and verified Review restoration test methodology Sample restoration documentation
Restoration test results documented Review test documentation Restoration test reports
Backup verification automated where possible Review automation configuration Automated backup verification setup

9.3 Disaster Recovery Testing

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Quarterly DR tests for critical systems Verify 4 DR tests conducted DR test reports (Q1, Q2, Q3, Q4)
Annual full-scale DR drill Review annual DR drill documentation Full DR drill report
DR test results documented with findings Review test documentation DR test results and findings
RTO/RPO objectives met during tests Compare test results to RTO/RPO RTO/RPO achievement documentation
DR procedures updated based on test findings Review procedure updates DR procedure update documentation

9.4 Business Continuity

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Business continuity plan documented Review BCP documentation BCP document
Critical systems and dependencies identified Review BIA documentation Business impact analysis
RTO/RPO defined for all critical systems Review RTO/RPO documentation RTO/RPO matrix
BCP reviewed and updated annually Verify annual review BCP review and approval dates

10. Vendor and Third-Party Management

Policy Reference: COMP-003: Vendor Management Policy

10.1 Vendor Assessment

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Security assessments conducted for new vendors Review vendor assessment records Vendor security questionnaires
Vendor risk classification assigned (Low/Medium/High/Critical) Review risk classifications Vendor risk rating documentation
SOC 2 reports obtained for critical vendors Review SOC 2 report inventory Critical vendor SOC 2 reports
Vendor contracts include security requirements Review vendor contracts Contract security clauses

10.2 Vendor Oversight

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Regular vendor reviews conducted Review vendor review meeting minutes Vendor review documentation
Vendor performance monitored Review performance metrics Vendor performance reports
Vendor incidents tracked and managed Review vendor incident records Vendor incident documentation
Annual reassessment of critical vendors Verify annual reassessments Vendor reassessment records

10.3 Vendor Offboarding

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Data return or destruction upon vendor termination Review offboarding records Data return/destruction certificates
Vendor access revoked upon contract termination Review access revocation Vendor access removal documentation
Vendor offboarding checklist completed Review offboarding checklists Completed vendor offboarding checklists

11. Physical Security

Policy Reference: HR-010: Workplace Health & Safety (partial); Physical Security Policy (if exists)

11.1 Facility Access

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Access badges required for facility entry Verify badge system operation Badge system documentation
Visitor management procedures in place Review visitor procedures Visitor log/sign-in records
Lost badges reported and deactivated Review badge deactivation records Lost badge reports and deactivations
Badge access reviewed and updated Review access list accuracy Badge access audit records

11.2 Secure Areas (if applicable)

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Data center/server room access restricted Review access controls Data center access control config
Access logs maintained for secure areas Review access logs Secure area access logs
Environmental controls operational (HVAC, fire suppression) Review environmental monitoring Environmental monitoring reports
Physical security monitoring (cameras, alarms) operational Verify monitoring systems Security system status reports

Note: If cloud-only infrastructure, document reliance on cloud provider physical security controls and review provider SOC 2 reports.

12. Acceptable Use and Code of Conduct

Policy Reference: SEC-001: Acceptable Use Policy, HR-007: Code of Conduct

12.1 Policy Acknowledgment

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Employees acknowledge AUP upon hire Review new hire acknowledgments Signed AUP acknowledgment forms
Annual policy acknowledgment required Verify annual acknowledgments Annual acknowledgment records
Code of conduct acknowledged by all employees Review CoC acknowledgments Code of conduct signature records
Policy acknowledgment tracked Review tracking system Policy acknowledgment tracking system

12.2 Policy Compliance

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
AUP violations investigated and documented Review violation records AUP violation investigation records
Disciplinary action taken for policy violations Review disciplinary actions Disciplinary action documentation
Monitoring conducted to detect policy violations Review monitoring procedures Monitoring logs and reports

13. Compliance and Documentation

Policy Reference: All policies, COMP-001: Data Retention and Archiving

13.1 Policy Management

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
All policies reviewed annually Review policy review dates Policy review and approval records
Policy updates documented with version control Review policy revision history Policy version control records
Policies accessible to relevant personnel Verify policy repository access Policy repository access logs
Policy changes communicated to affected staff Review communication records Policy update communications

13.2 Compliance Reporting

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Quarterly compliance reports generated Review compliance reporting Quarterly compliance reports (Q1-Q4)
Metrics tracked and reported (training, access reviews, incidents, etc.) Review metrics dashboard Compliance metrics dashboard
Findings tracked in issue tracking system Review issue tracking Compliance findings and remediation tracking
Leadership receives regular compliance updates Review leadership reports Executive compliance reports

13.3 Documentation and Records

Audit Item Verification Procedure Evidence to Collect Pass/Fail Notes
Security documentation maintained and current Review documentation inventory Document inventory and review dates
Audit trail/evidence collection ongoing Verify evidence collection processes Evidence collection procedures
Records retained per retention schedule Review retention compliance Retention schedule compliance report
Confidential documents stored securely Review document storage Document storage security controls

Audit Summary and Reporting

Audit Findings Summary

Category Items Audited Pass Fail N/A % Compliance
1. Access Control and Identity Management
2. Authentication and Password Management
3. Security Awareness and Training
4. Incident Response and Management
5. Data Protection and Privacy
6. Endpoint and Mobile Device Security
7. System Monitoring and Logging
8. Change Management
9. Backup and Disaster Recovery
10. Vendor and Third-Party Management
11. Physical Security
12. Acceptable Use and Code of Conduct
13. Compliance and Documentation
TOTAL

Critical Findings

List any critical security gaps that require immediate attention:

  1. [Finding description]
  2. Risk: [High/Medium/Low]
  3. Recommendation: [Remediation steps]
  4. Owner: [Responsible party]
  5. Deadline: [Target completion date]

High Priority Findings

List high priority findings that should be addressed within 30-60 days:

[Continue with findings...]

Medium/Low Priority Findings

List findings that should be addressed but are not urgent:

[Continue with findings...]

Recommendations for Improvement

List recommendations for enhancing security posture beyond compliance:

[List recommendations...]

Audit Completion Checklist

  • ☐ All audit sections completed
  • ☐ Evidence collected and documented
  • ☐ Findings categorized by severity
  • ☐ Recommendations documented
  • ☐ Remediation plans created for findings
  • ☐ Audit report drafted
  • ☐ Audit report reviewed by audit team
  • ☐ Audit report presented to management
  • ☐ Findings entered into tracking system
  • ☐ Follow-up audit scheduled

Auditor Information

Audit Conducted By: _____ Audit Date(s): _____ Audit Report Date: ________

Reviewed By: _____ Review Date: _____

Approved By: _____ Approval Date: _____

Document Information

Document: Annual Security Audit Checklist Version: 1.0 Classification: Internal - Confidential Distribution: Audit Team, IT Security, Compliance, Executive Leadership

This Security Audit Checklist was generated from Acme Corp's Policy Framework demonstrating "Compliance as Code" - instantly generating professional audit tools worth $3K-5K from well-structured policy documentation.