The intent of testing is to appraise the level of security and identify vulnerabilities for mitigation measures. Vulnerability assessments identify and report on security weaknesses and vulnerabilities in the target system. This analysis is an important element of any activity in risk management. Vulnerability assessment components help in integrating all the steps in this analysis by automating the process of detecting, identifying, measuring, and understanding the vulnerabilities found in a target ICT system or infrastructure (Anderson & Rainie, 2010). In order to achieve this, the process involves both passive and active scanning, and this is important in verifying that the vulnerabilities are both present and exploitable.

In addition, tools used in vulnerability assessment are capable of performing on various network nodes including networking and networked devices such as printers, routers, and firewalls, as well as desktops, servers, and mobile devices, which present a new set of security issues that requires being handled (Price, 2003).

Penetration testing uses security tools and techniques that help identify and validate vulnerabilities. External penetration testing helps identify weaknesses in a company’s network that might be exploited by an attacker to attack the enterprise environment from the internet. Internal testing seeks to detect and exploit weaknesses to determine if the unauthorized access or other shady activity can be performed in the target network (Price, 2003). This gives an indication whether the system is able to withstand any attack emerging at the point where the test was accessed. By testing the security of the system in this way, we seek to answer this question: “Can an attacker exploit the identified weaknesses?”

This information is necessary to help the company’s security team gain experience in defending against cyber-crimes (Anderson & Rainie, 2010). It provides objectivity regarding the existing vulnerabilities and the efficacy of defense and mitigating mechanisms in place and those intended to be implemented in future.

Audit Standards

Companies favor an integrated audit that covers financial controls as well as the information systems. Organizations have to ensure that they comply with the set audit standards and legislations in this process. An audit standard like Statement of Auditing Standard (SAS) number 70 complies with the American Institute of Certified Public Accountants (AICPA) and ensures that the measures of financial records and processes are sound (University of Maryland University College, 2010).

Integrating financial control and its audits is more practical for large organizations since most data are stored electronically and information systems are used in their day-to-day business. In addition, legislation like Sarbanes-Oxley requires companies to ensure compliance in