report for senior management is much more concise and offers more of an overview or summary of the findings. An audit report for the IT manager or the security administrator should be very detailed and include all available information on the events contained in it. Reporting Time Frames The frequency of producing audit reports is based on the value of the assets and the level of risk. The more valuable the asset and the higher the risk, the more often an audit report should be pro- duced. Once an audit report is completed, it should be submitted to the assigned recipient as defined in the security policy documentation and a signed confirmation of receipt should be filed. When an audit report contains information about serious security violations or perfor- mance issues, the report should be escalated to higher levels of management for review, notifi- cation, and assignment of a response. Keep in mind that, in a formalized security infrastructure, only the higher levels of management have any decision-making power. All entities at the lower end of the structure must follow prescribed procedures and follow instruction. Sampling Sampling, or data extraction, is the process of extracting elements from a large body of data in order to construct a meaningful representation or summary of the whole. In other words, sam- pling is a form of data reduction that allows an auditor to quickly determine the important issues or events from an audit trail. There are two forms of sampling: statistical and nonstatis- tical. An auditing tool using precise mathematical functions to extract meaningful information from a large volume of data performs statistical sampling. There is always a risk that sampled data is not an accurate representation of the whole body of data and that it may mislead audi- tors and managers, and statistical sampling can be used to measure that risk. Clipping, a form of sampling, selects only those error events that cross the clipping level threshold. Clipping levels are widely used in the process of auditing events to establish baseline of system or user activity that is considered routine activity. If this baseline is exceeded, an unusual event alarm is triggered. This works especially well when individuals exceed their authority, when there are too many people with unrestricted access, and for serious intrusion patterns. Clipping levels are often associated with a form of mainframe auditing known as violation analysis. In violation analysis, an older form of auditing, the environment is monitored for occurrences of errors. A baseline of errors is expected and known, and this level of common errors is labeled as the clipping level. Any errors that exceed the clipping level threshold trigger a violation and details about such events are recorded into a violation record for later analysis. Nonstatistical sampling can be described as random sampling or sampling at the auditor’s discretion. It offers neither assurance of an accurate representation of the whole body of data nor a gauge of the sampling risk. Nonstatistical sampling is less expensive, requires less training, and does not require computer facilities. Both statistical and nonstatistical sampling are accepted as valid mechanisms to create sum- maries or overviews of large bodies of audit data. However, statistical sampling is more reliable.