How to Prepare for a Cybersecurity Audit

Maybe not at the top of your list of fun things to do, but managing a cybersecurity audit can be a necessary evil. Learn what to expect and how to prepare.
Cyber Security Audit

What is a cybersecurity audit?

In a cybersecurity audit, you verify that cybersecurity policies and procedures are in place to protect an organization’s informational assets. The goal of a cybersecurity audit is to measure a nonprofit's security compliance with cybersecurity norms, frameworks, or industry regulations. Cybersecurity audits must be comprehensive and thorough in order to expose any weaknesses in security and identify risks.

How does a cybersecurity audit differ from a cybersecurity assessment?

Cybersecurity audits and assessments serve different purposes. The cybersecurity audit verifies specific risks have been identified and addressed, whereas a cybersecurity assessment, like SecCheck, tests the risk to see how well security controls have been implemented. 

Cybersecurity Audit Cybersecurity Assessment
Verifies risks were identified and addressed Tests the risk to see how well security controls work
Determines if policies and procedures exist Assesses whether policies and procedures are effective
Uses checklists and standards Uses simulated attacks


Both can reveal gaps in cybersecurity. A cybersecurity risk assessment includes simulated cyberattacks and verification testing to understand how well risks have been mitigated. It also can assess the effectiveness of policies, procedures, or controls to mitigate risk.

Why would you do a cybersecurity audit instead of, or in addition to, a cybersecurity assessment?

  1. After a security incident, an audit can identify corrective action an organization can or must take to prevent a repeat incident. This is the most common reason for an audit. Some industry regulations require an audit conducted by an external party.
  2. Certification from a successful cybersecurity audit helps a nonprofit establish trust.
  3. An audit can identify if a change in policy is needed.

If you decide to do a cybersecurity audit, here are the steps you should take.


  1. Notify stakeholders

All stakeholders, internal and external, should be notified when an audit has been requested because they may be asked to provide information or be interviewed during the process. When communicating with stakeholders, consider including the following:

  1. The reason for the audit. 
  2. Who’s performing the audit? 
  3. When is the audit begin and how long will it last? 

Keep stakeholders involved and informed throughout the audit process. The outcome of a cybersecurity audit can impact the nonprofit organization's ability to achieve goals. A positive result may reduce cyber insurance premiums or give your organization the ability to increase funding, and comply with certain state or federal guidelines and regulations.

2. Take Inventory

Expect any cybersecurity audit to request an up-to-date inventory of systems, devices, and applications. If your nonprofit is prepared with an IT disaster recovery plan, you will already have commonly requested details such as an inventory of all hardware, software, and systems (both on-premise and cloud-based).

3. Get the audit checklist before the audit

Get the audit checklist before the audit begins. Having the checklist ahead of time allows time to prepare.

4. Review your policies

Policies are one of the many items included on an audit checklist. Many cybersecurity frameworks and industry standards require detailed policies. Our tech advisors offer assistance through a Policy Builder tool developed to help nonprofits with the daunting task of updating their technology policies.

5. Preschedule tests or deliverables

The cybersecurity audit checklist may require specific tests or deliverables to be completed for a positive outcome. Prescheduling these tasks will show the auditor that the organization is taking the audit seriously and speed up the process.


Careful IT Planning and preparation will set your nonprofit up for a successful cybersecurity audit. Anticipating disasters before they happen and having an IT disaster recovery plan in place when they do will also prepare your colleagues, community, and constituents for a cybersecurity breach that might initiate an audit. Schedule a consultation with our tech advisors by completing the form to the right to get started.

Learn About Our Cybersecurity Offerings