Understand Audits and Assessments for Security+ (SY0-701)
Learn how Security+ distinguishes internal and external audits, attestation, assessments, and penetration testing.
Audits and assessments are where organizations prove, test, or challenge their security claims. Security+ expects you to know the difference between internal and external review, attestation and evidence, and formal assessments versus offensive testing.
What the exam is really testing
CompTIA is usually checking whether you can:
- choose the right review or testing mechanism for the stated purpose
- separate documentation-based assurance from technical validation
- understand that internal assessments and audits are meant to surface gaps before they become public failures
Comparison table
| Activity | Main purpose |
|---|---|
| Internal audit | independent internal review of controls and compliance posture |
| External audit | outside review for customers, regulators, or formal obligations |
| Attestation | formal assertion that stated conditions or controls are true |
| Assessment | structured evaluation of control effectiveness or risk |
| Penetration test | authorized exploitation to validate real attack impact |
Review chooser
| Need | Strongest first fit | Why |
|---|---|---|
| Independent internal readiness check | Internal audit | Tests control maturity before outside scrutiny |
| Customer or regulator needs outside assurance | External audit | Provides third-party validation |
| Formal statement that controls meet stated conditions | Attestation | Focuses on asserted status and supporting evidence |
| Broader technical or control evaluation | Assessment | Tests whether the control environment is effective |
| Proof that a weakness can be exploited | Penetration test | Demonstrates real attack impact under authorization |
Simple evidence packet example
1review: internal-audit
2scope:
3 - user-access-reviews
4 - privileged-account-logging
5evidence:
6 - quarterly_access_review_report
7 - admin_log_samples
8 - remediation_ticket_status
9owner: security-governance
What to notice:
- audits and assessments are evidence-driven
- the scope must be explicit
- remediation tracking matters because findings are not useful if they never close
Attestation versus technical testing
Security+ likes answer choices that sound similar but prove different things:
- an attestation says a control state or condition is true and should be supported by evidence
- a penetration test proves exploitability under controlled conditions
- an assessment may evaluate maturity, implementation, or risk without always attempting exploitation
Those are related, but not interchangeable.
Common traps
- calling a penetration test an audit
- assuming internal review is less important because it stays inside the company
- confusing attestation with full technical validation
- treating findings as complete once documented rather than once addressed
Harder scenario question
A company wants proof that a public web application weakness is actually exploitable before disrupting production with a major emergency change. Which option is strongest?
A. Annual awareness training B. Penetration testing performed within an approved scope C. A generic high-level attestation statement D. A visitor-access report
Best answer: B. The question asks for proof of exploitability, which is what authorized offensive testing is designed to provide.
Quiz
Continue with 5.6 Security Awareness & Training to finish the governance chapter with the human-control layer Security+ expects you to recognize.