System administrators, or Information Technology Managers, in larger organizations have a rare opportunity to get audited. Sometimes the audits are external, sometimes they are internal. I say opportunity because an IT audit involves reviewing the entire IT operation and often times results in a high level of knowledge transfer to the auditee. A good auditor has experience with a variety of environments and will occasionally have had more security training than a typical system administrator has time for.

To do her/his job effectively, an auditor needs information from the auditee. This insight comes from Information Technology Security Surveys, Requests for Information, Risk Assessments, or general questionnaires. The questions themselves help the auditee to think about the kinds of security issues they face across their environment–from digital to physical threats.

There are some examples of these documents online. Not surprisingly, most come from public institutions. Here are a few we’ve found:
FDIC (Federal Deposit Insurance Corporation)
University of Illinois’ Risk Assessment
Purdue University
Georgia State University
Virginia Community College System
Ohio State University (pdf and Excel)

If you know of more, please let us know.