The security audit involves comparing the security policies of a company with what is really happening. The objective of the security audit is to validate that security controls exist, generally using a risk-based approach. Auditing often involves reviewing business processes and, in many cases, may not be very technical. Not all audits are high level, but most are quite simplistic.
On the contrary, ethical hacking focuses on the vulnerabilities that can be exploited. Validate that security controls do not exist or are ineffective at best. Ethical hacking can be highly technical and non-technical, and although you use a formal methodology, it tends to be a bit less structured than formal audit.
If you continue the audit in your organization, you might consider integrating ethical hacking techniques into your IT audit program. They complement each other very well.
Internal security audit:
This type of audit is the level of security and privacy of local and corporate networks of internal character
Perimeter security audit:
In this type of analysis, the perimeter of the local network or companies is the study and the degree of security offered in the external entrances is analyzed.
Intrusion test:
The intrusion test is an audit method by which you try to access the systems, to obtain the level of resistance to unwanted intrusion. It is a fundamental complement for the perimeter audit.
Forensic analysis:
The forensic analysis is an ideal study methodology for the subsequent analysis of incidents, by means of which it is a question of reconstructing how the system has been penetrated, and also to assess the damages caused. If the damage has caused the inoperability of the system, the analysis is called postmortem analysis.