Auditing has always played an important rote in the business environment. With the introduction of information technology and the resulting security challenges that organizations face daily, it has become essential to ensure the security of the organization's information and other valuable assets. However, one aspect that auditing does not cover effectively is that of the behaviour of the employee, which is so crucial to any organization's security. The objective of this paper is to explore the potential problems concerning the attempt to audit the behaviour of the employee. It will be demonstrated that it is extremely difficult to audit human behaviour and so an alternative method to behavioural auditing needs to be found, where policing the employee is not necessary, but instead a softer, more informal approach is used to change the culture to a more information security conscious one. (C) 2004 Elsevier Ltd. All rights reserved.
