Project Summary: Worksheet: Creating an Audit Plan Overview When establishing an audit program, the auditing committee or auditor identifies the elements of the organization’s IT infrastructure to be audited. As referenced in NIST SP 800-53 and NIST SP 800-53A controls and items to be reviewed are selected. Enterprises provide customers with operating systems, applications, hardware, Internet, VoIP, and security. These products and services are provided through internal hardware you would find in a server room, such as an application server, data storage, Web servers, email servers, call-managers, firewalls, and security appliances that provide network-based security and monitoring. Often, services such as SaaS, cloud-based storage, telephony, security, Web hosting, connectivity, routing, and switching are provided to an enterprise by a third-party vendor or other organization. Though these services are not inherent to the enterprise, they are still controls that are auditable.