Outline
The word "audit" describes any process designed to review and assess a system's current state, capacity, and integrity. An internal audit is a review process initiated and carried out by an organization itself. External audits are often performed by or on behalf of banking entities or government regulatory bodies like tax authorities.
You should look at compliance with regulatory frameworks like the credit card industry "Payment Card Industry Data Security Standard" (known as PCI-DSS) or the US government's "Health Insurance Portability and Accountability Act" as valuable opportunities. If you can legitimately pass those standards, then you can be pretty confident that you really are doing what you can to protect the privacy and security of the data you manage and, even more important, that your systems are reasonably secured against common threats.
For all intents and purposes, a formal security audit involves inspecting and testing all the systems that could impact security in one way or another. You might, for instance, be required to demonstrate that your data at rest and in transit is always encrypted, that all servers and workstations involved in your business are properly patched, that your networks block access to all but necessary users, that third party vendors whose operations and products you use also comply with necessary security standards, that you've got an effective protocol for regular data backups, and that you've got formal - and tested - emergency response and recovery plans.
We'll wrap up this lesson by quickly describing three categories of auditing tools. The first is the automated processing and parsing of your system logs. Whether your infrastructure stack lives in the cloud, on premises - or both - over time, you're regularly going to be generating gigabytes of boring data. The only way to make sense of the mess is by streaming it through analytics scripts that can filter out the noise generated by millions of normal events, and find serious events. Good log monitoring systems can be configured to send alerts when possible problems are detected, or even trigger automatic fixes.
If you're running anything more complicated than a WordPress website and a few laptops, then you'll probably need some kind of monitoring process. One low-level form of monitoring is an intrusion detection system. An IDS is software you install on a server whose function is to constantly monitor the state of pre-set system and configuration files. If a target file is updated or deleted - potentially an indication that there's unauthorized activity going on - the IDS will send an alert to one or more admins. Once you've fine-tuned your IDS so it's not sending you annoying false-positives all the time, it can be an effective first-line of defence.
The second category of auditing tool involves penetration testing. A pen tester is usually an independent consultant hired by an organization to attempt to hack into their internal systems. In other words, pen testers are given explicit legal permission to do exactly what criminal hackers would do - without causing permanent damage, of course. Using attack software suites like OWASP ZAP or Metasploit, pen testers search for and then exploit vulnerabilities in an organization's systems. The further in a tester can penetrate, the more dangerous are the discovered vulnerabilities, and the more work you'll have to do to fix them.
Pen testing is expensive and sometimes even disruptive. But not nearly as much as suffering the same intrusions by and actual black-hat hacker. Another form of pen testing involves dividing your admins and engineers into red team attackers and blue team defenders for attack simulations. The teams compete to test how robust your defences are.
Vulnerability assessments are a less invasive form of pen testing. Rather than trying to breach your networks and servers, they'll instead scan your network from the outside looking for open ports and unpatched software. They'll also search the internet for information your employees might have inadvertently left on public platforms that could provide hints to active credentials or the secret sauce used by your software applications. How might that work? Well free software exists that will, for instance, harvest data from job ads you might have placed on LinkedIn - especially from the "required skills" sections. Such software can also survey public posts from your team members, assessing the topics of interest in their Stack Overflow questions and answers. If this stuff is out there, you'll want to know about it.