When a security audit reveals no documented procedures, the IS auditor should focus on:

When a security audit reveals no documented procedures, the most appropriate focus for the IS auditor is to evaluate existing practices. This approach allows the auditor to assess how security measures and controls are implemented in practice, even in the absence of formal documentation. By evaluating existing practices, the auditor can identify any gaps in the implementation of security protocols, uncover potential risks, and highlight areas for improvement.

This focus is critical because it provides insight into the organization's actual security posture, which may differ from what is expected based on written policies or procedures. Understanding how tasks are being carried out on the ground can help the auditor provide valuable recommendations for establishing effective documentation and refining existing processes.

Creating a new set of procedures might be premature without first understanding the current practices in place. It is essential to gather information about how processes have been executed, which can inform the development of new documentation aligned with real-world usage. Issuing a termination of the audit would not be justified only because of a lack of documentation, as an audit can still yield important insights. Similarly, relying solely on available data for compliance could overlook critical context about how security is managed within the organization. Therefore, evaluating existing practices serves as the foundational step in identifying and addressing security concerns effectively.