What is an "Audit" versus what is an 'Assessment'?
~~~~     ~~~~     ~~~~
some 'definition of terms' for the faint-of-heart
Some items from the dictionary:
Audit:  an official inspection of an organization's or an individual's accounts (financial records), typically by an independent body

Assessment:  the evaluation or estimation of the nature, quality, or ability of someone or something

Appraisal: an act of assessing someone or some thing  <=== this is a 'freebie' - it uses the word 'assess' in it's definition


NOW, lets corrupt both of those terms with the more common corporate-world perceptions for these terms and what they mean in the corporate-world-everyday-life:

Audit:  comparing the PERFORMANCE of a PROCESS (that should already be in place) AGAINST some "Standard" - in the above (dictionary) definition there is an "Implied" standard (called "G.A.A.P.**" in the 'accounting' world) - for 'financial' audits.   The term 'audit' is expanded in the 'corporate' world to mean comparing PERFORMANCE of an organizational process (and it's people) in their pursuit of:
 Against some internal or external "Standard".   The 'standard' for  comparison or 'auditing-against' TYPICALLLY comes from outside the organization (an Accounting Standard, a Quality Standard, a Security Standard, etc.)

The 'bottom-line' on an 'audit' is that they are (basically) 'Pass-Fail' inspections - and the other KEY comes from the dictionary definition, 'Independent Body'




Assessment: the evaluation or estimation of (pick a subject-area) - as (typically) against a (typically internal) 'standard' but more about a 'scoring' against on a 'scale' of some sort...

In the "SEI" realm (Software Engineering Institute  / software development 'quality')  there is a scoring-scale of 1 ('worst) through 5 ('best') that is typically assigned at the end of an 'assessment'.    

Assessment(s) are 'mostly' driven by an organizational 'demand' for self-improvement.  They are mostly 'scaleable' in terms of doable for / about / 10 people or 500 people. Assessments are 'mostly' about 'continuous improvement' - about how can an organization continue to change for the better.  

FURTHER, assessment(s) are typically implemented to help the organization IMPROVE regardless of the people involved in the job-descriptions.  That is that assessments are about improving the ORGANIZATION, (though, admittedly, people make an organization) and about the use of PROCESS to improve an organization's methodology to deal with a particular problem-space.  

MOST of the time an assessment is also done by an 'independent body'.
** =  G.A.A.P. = 'Generally Accepted Accounting Practices' - what this means (in the financial world) is 'Accounting according to the USA's 'A.A.C.P.A. (American Association of Certified Public Accountants)' organization.  This means 'best practices' and 'accountability' (are people actually doing what their job-description says they are supposed to do).  Etc. Etc. Etc. -

There is something 'similar' in the computing world, something some people call "G.A.C.P." = Generally Accepted Computing Practices - again - 'best practices'.

In the late 1980's through the mid- 1990s this was roughly equivalent to the practice of Unix Systems Administration according to the policy, practice, and process of books by Evi Nemeth (and friends) and books by "O'Reilly Press".   

Since that time (mid 1990s) through the present (mid 2007) this definition has become less clear, but it is basically the practice of computing support with some degree of 'attention' to these aspects of computing in this order:

With the basic understanding of a fundamental rule of computing:

                         Security = 1 / productivity

That is - the more secure a computer is the less productive it is - (as an access tool to
information....

The more "PUBLIC" the information is the less secure it is ...

last updated:   16:37 p.m. - Sunday, 09 September  2007;    revID:  1f     (in Stuart, Florida, USA)