A security audit checks whether the controls an organisation relies on actually exist, work, and match the risks it faces. Done well, it replaces assumption with evidence. The security audit procedures below follow a repeatable sequence: define the scope, gather evidence against a recognised standard, test the controls, rate the gaps by risk, and report findings that a board can act on. The same structure applies whether the audit covers a single building or a national property portfolio.
Key takeaways
- A security audit measures controls against a defined benchmark; a security risk assessment decides which risks matter most. The two are related but not the same.
- Sound procedures move in order: scope, benchmark, evidence, testing, risk rating, and reporting.
- Australian organisations commonly benchmark against AS ISO 31000:2018 and, for government, the Protective Security Policy Framework.
- A finding is only useful when it states the gap, the risk it creates, and the recommended treatment.
- Independent auditors reduce the conflict of interest that arises when the team that designed a control also assesses it.
What is a security audit?
A security audit is a structured examination of an organisation’s security controls against a defined standard or policy, to confirm whether those controls are present, adequate, and operating as intended. It produces documented evidence of compliance and a prioritised list of gaps.
A security audit differs from a security risk assessment. An audit asks whether the controls meet the benchmark, while a security risk assessment asks what could harm the organisation, how likely it is, and what should be done about it. Most mature programs use both: the risk assessment sets priorities, and the audit verifies that the agreed controls are holding.
What standards do security audits use in Australia?
An audit needs a benchmark. The benchmark is the policy, standard, or framework the controls are measured against. Common Australian references include:
- AS ISO 31000:2018, Risk management — Guidelines, for the risk management approach that underpins the audit, with security-specific guidance in SA HB 167:2025.1
- The Protective Security Policy Framework, for Australian Government entities and the organisations that work with them.2
- An organisation’s own security policy, plans, and contractual or insurance obligations.
Government and critical infrastructure organisations often have a mandated benchmark. Commercial organisations usually choose one that fits their sector and obligations. The benchmark should be agreed before evidence gathering begins, because it defines what compliant means for the audit.
The security audit procedure, step by step
Step 1: Define the scope and objectives
Agree what is being audited and why. Set the sites, systems, assets, and control areas in scope, the benchmark, the period under review, and the audience for the report. A tightly defined scope keeps the audit fair and the findings comparable over time. Record any exclusions so they are not mistaken for gaps later.
Step 2: Select the benchmark and build the audit criteria
Translate the chosen standard or policy into concrete, testable criteria. Each criterion should be specific enough that two competent auditors would reach the same conclusion from the same evidence. Vague criteria produce arguable findings.
Step 3: Gather evidence
Collect evidence against each criterion from documents, interviews, and direct observation. Useful sources include policies and procedures, access logs, maintenance records, incident reports, training records, and site inspections of physical controls such as perimeters, locks, CCTV, and alarms. Evidence should be recorded against the criterion it supports, so the conclusion is traceable.
Step 4: Test the controls
Confirm that controls work in practice, not only on paper. Testing might include checking that access cards are deactivated promptly when staff leave, that cameras cover the areas the design claims, that alarm responses occur within the stated time, and that documented procedures match what staff actually do. The gap between the documented control and the operating control is often where the real exposure sits.
Step 5: Rate the findings by risk
Rate each gap by the risk it creates, using the likelihood and consequence approach of AS ISO 31000:2018, rather than listing every deviation as equal.1 A door propped open in a public foyer and a propped door to a server room are not the same finding. Risk rating tells the organisation what to fix first.
Step 6: Report and recommend treatments
Write findings that stand on their own. Each finding should state the gap, the risk it creates, the evidence, and a recommended treatment with an indicative priority. Group the findings so an executive can read the summary and a facility manager can action the detail. A good audit report is judged by whether the organisation can act on it without going back to ask what a finding meant.
Step 7: Track remediation and re-test
An audit closes the loop only when the agreed treatments are implemented and verified. Set owners and dates against each recommendation, and re-test the controls that failed. Auditing on a planned cycle, rather than once after an incident, is what turns a one-off check into an assurance program.
How often should a security audit be conducted?
There is no single mandated interval for most organisations. A common practice is a full audit annually, with interim checks after a significant change such as a new site, a restructure, a major incident, or a change in regulatory obligation. Sectors with specific obligations should align the cycle to those obligations. The right frequency is the one that keeps the evidence current between audits.
How Agilient can assist
Agilient conducts independent security audits for government and major commercial organisations across Sydney, Melbourne, Brisbane, Adelaide, and Canberra. As an independent, vendor-neutral consultancy, Agilient audits controls without any interest in selling the equipment or services that a finding might recommend, which keeps the assessment objective. Audits are benchmarked against recognised standards and, for government clients, the Protective Security Policy Framework, and they are delivered as board-ready reports with risk-rated findings and practical treatments.
Where an audit surfaces deeper questions about which risks matter most, Agilient’s security risk assessment service sets the priorities, and its protective security and PSPF work helps government entities meet their framework obligations.
Request a security audit or book a short briefing to talk through the right starting point for your organisation.
Frequently asked questions
What is the difference between a security audit and a security risk assessment?
A security audit measures existing controls against a defined benchmark to confirm compliance. A security risk assessment identifies and prioritises the risks an organisation faces and recommends treatments. The risk assessment sets priorities; the audit verifies the controls.
What standard should an Australian security audit follow?
Most Australian organisations benchmark against AS ISO 31000:2018 for the risk approach, with security-specific guidance from SA HB 167:2025, and government entities use the Protective Security Policy Framework. The benchmark should be agreed at the start of the audit.
How long does a security audit take?
It depends on the number of sites, the breadth of controls, and the evidence available. A single-site audit may take days, while a multi-site portfolio audit takes longer. Agreeing a tight scope at the outset is the main factor in keeping it efficient.
Who should conduct a security audit?
An auditor independent of the team that designed or operates the controls, to avoid the conflict of interest that arises when a group assesses its own work. Independence is a core reason organisations engage an external consultancy.
What does a security audit report include?
A scope statement, the benchmark used, risk-rated findings with supporting evidence, and recommended treatments with priorities, structured so executives and operational staff can both act on it.
References
- Standards Australia, AS ISO 31000:2018 Risk management — Guidelines, standards.org.au
- Department of Home Affairs, Protective Security Policy Framework, protectivesecurity.gov.au
