To automate all security processes

To verify that security controls are functioning properly

To ensure data is always available

To eliminate the need for human resources

Assessments are more reliable than audits

Audits are only for financial controls, while assessments are for security controls

Assessments focus on system documentation, while audits are conducted by independent auditors

Assessments are always external, while audits are internal

The organization's IT department

Independent external entities

Internal staff members

The organization's management team

To evaluate the organization's financial reporting controls

To review the organization's privacy policies

To assess the organization's security controls

To provide a public disclosure of security measures

Type 1 reports cover a six-month period

Type 1 reports are more reliable than Type 2

Type 2 reports confirm the functioning of controls over a period

Type 2 reports are only for financial controls