When an organization seeks advice concerning the computer security measures it is using, it must be sure of its reasons for needing security. After the organization's business objectives and needs have been determined, the actual security audit is carried out. The audit should cover physical security arrangements, external and internal services, computer operations, hardware, software, data, the users' environment(s), audit procedures, personnel, contingency plans, and insurance. Physical security arrangements involve access control (the movement of people and anything they may carry with them), fire protection, and protection against bombs, water, and incidents outside the organization's control. External and internal services may include computer and facility maintenance, data transit, security, water, electricity, gas, oil, and data processing. Questions to ask during the audit are listed for these services as well as for computer operations, hardware, software, the users' environment, etc. Presenting the audit results and implementing its recommendations are detailed. No references are cited.