Definition: Audits, as they relate to information systems, refer to comparing observed practices with existing policies and procedures. It’s an examination of an organization's information security processes. The main purpose is to determine whether a “gap” exists between what the organization or business says it is doing and what is actually being done. Some reviews relate to specific standards such as ISO 27000. COBIT is another. There are two other standards that directly relate to compliance with government requirements (HIPAA, FISMA).
Its Relevance: A review of information systems processes and procedures is only possible when an organization has adopted official policies. If official practices exist then there must be periodically reviewed for accountability purposes. Assuring the proper use of information assets is impossible without comparing actual practices with policy. Complying with laws and regulations (e.g.HIPAA) helps avoid penalties and fines.