Three types of cybersecurity audits
The term "cybersecurity audit" covers three distinct assessment types. Each examines your security from a different angle, and most organisations need a combination of all three to maintain a complete security posture.
1. Compliance audit
A compliance audit evaluates whether your organisation meets the requirements of specific regulatory frameworks and industry standards. The auditor works from a checklist derived from the applicable standard - each control is assessed as implemented, partially implemented, or not implemented.
For Nigerian companies, compliance audits typically assess against one or more of: the CBN Risk-Based Cybersecurity Framework, the Nigeria Data Protection Act (NDPA), PCI DSS 4.0, ISO 27001, and NITDA guidelines. The audit produces a compliance report documenting your conformance level and identifying gaps that must be addressed.
Compliance audits answer the question: "Do the required controls exist?"
2. Technical audit
A technical audit involves hands-on examination of your systems, configurations, and infrastructure. Auditors review server configurations, network architecture, access controls, encryption implementation, logging and monitoring setup, and application security settings. Unlike a compliance audit that works primarily from documentation and interviews, a technical audit requires direct access to systems.
Technical audits answer the question: "Are the controls implemented correctly?"
3. Operational audit
An operational audit reviews your security processes, procedures, and human factors. It examines incident response plans (and whether they have been tested), change management procedures, access provisioning and deprovisioning workflows, employee security awareness, vendor management practices, and business continuity planning.
Operational audits answer the question: "Are the controls being maintained and followed consistently?"
Audits check existence, pentests check effectiveness
A compliance audit might verify that your web application firewall (WAF) is deployed and configured per policy. A penetration test checks whether the WAF actually blocks real attacks. We regularly find WAFs that pass compliance checks but fail to stop basic SQL injection or cross-site scripting because the rule sets were never tuned for the specific application. Both assessments are necessary - they answer fundamentally different questions.
Nigerian regulatory frameworks driving audit demand
Four regulatory frameworks create cybersecurity audit requirements for Nigerian organisations. Understanding which frameworks apply to your company determines the scope and frequency of your audit programme.
CBN Risk-Based Cybersecurity Framework
The Central Bank of Nigeria's cybersecurity framework applies to all CBN-licensed financial institutions: banks, microfinance banks, payment service providers, mobile money operators, and switching companies. It mandates:
- Annual cybersecurity assessment: Comprehensive evaluation of cybersecurity posture covering governance, risk management, technical controls, and incident response capabilities.
- CSAT submission: The Cybersecurity Self-Assessment Tool must be completed and submitted to the CBN. This is not optional - it is a licensing requirement. The CSAT covers five domains: cybersecurity governance, cybersecurity risk management, cyber resilience, cyber threat intelligence, and cybersecurity metrics.
- IT audit: Regular IT audits conducted by qualified assessors. The CBN specifies minimum competencies for the audit team and requires the audit report to be submitted along with management's response to findings.
- Penetration testing: The framework explicitly requires regular penetration testing as a component of the security assessment programme. See our CBN IT audit preparation guide for detailed requirements.
Nigeria Data Protection Act (NDPA) and NDPC
The NDPA applies to any organisation processing personal data of individuals in Nigeria. This covers virtually every technology company operating in the country. Key audit-relevant requirements:
- Data Protection Impact Assessment (DPIA): Required for high-risk processing activities. Must be documented and available for NDPC review.
- Appropriate technical measures: The NDPA requires organisations to implement "appropriate technical and organisational measures" to protect personal data. Regular security assessments are the primary evidence of compliance. The NDPC can fine organisations up to 2% of annual gross revenue or ₦10 million for NDPA violations.
- Data protection audit: The NDPC has the power to audit organisations directly and has been conducting compliance audits of major data controllers since the Act's enforcement began.
- Annual data protection compliance report: Large data controllers must file annual compliance reports with the NDPC, including documentation of security measures implemented.
NITDA guidelines
The National Information Technology Development Agency (NITDA) provides cybersecurity guidelines and standards for Nigerian organisations. While NITDA's enforcement has historically been lighter than CBN or NDPC, the agency has been strengthening its oversight, particularly for technology companies. NITDA's guidelines align with international standards (ISO 27001, NIST) and provide a baseline for cybersecurity practice in Nigeria.
PCI DSS for payment processors
Any Nigerian company that processes, stores, or transmits cardholder data must comply with PCI DSS. This includes payment gateways, acquiring banks, e-commerce platforms, and any fintech that touches card data. PCI DSS 4.0 introduces significant new requirements around authentication, encryption, and continuous monitoring. See our PCI DSS compliance guide for Nigeria.
PCI DSS compliance requires annual assessments - either a Self-Assessment Questionnaire (SAQ) for smaller merchants or a Report on Compliance (RoC) from a Qualified Security Assessor (QSA) for larger organisations. The assessment includes both documentation review and technical testing.
Not sure which regulatory frameworks apply to your company or what audit scope you need? We help Nigerian fintechs navigate CBN, NDPA, and PCI DSS requirements every day.
Discuss Your Audit RequirementsWhat auditors assess in each audit type
Understanding what auditors look for helps you prepare effectively and avoid surprises during the assessment.
Compliance audit assessments
Governance and policy
Information security policy, acceptable use policy, data classification policy, incident response policy, business continuity plan. Do they exist? Are they current (reviewed within the past 12 months)? Are they approved by senior management? Are employees aware of them?
Access control
User access management procedures, role-based access control implementation, privileged access management, access reviews and recertification, deprovisioning procedures for leavers. Is there a documented process? Is it followed consistently?
Data protection
Data inventory and classification, encryption at rest and in transit, data localisation compliance, backup procedures, retention and disposal policies. Where is personal data stored? Who can access it? How is it protected?
Monitoring and logging
Security event logging, log retention periods, SIEM implementation, alerting thresholds, incident detection capabilities. Are logs collected from all critical systems? Are they reviewed? How quickly can an incident be detected?
Technical audit assessments
- Network security: Firewall configurations, network segmentation, intrusion detection/prevention systems, VPN configurations, wireless security. Are production systems isolated from development? Can a compromised web server reach the database directly?
- System hardening: Operating system configurations against CIS benchmarks, unnecessary services disabled, patch management status, default credentials changed, administrative access secured.
- Application security: Web application configurations, API security settings, authentication mechanism strength, session management, input validation. Often assessed using OWASP guidelines as a baseline.
- Cloud configuration: IAM policies, security group rules, encryption settings, logging configuration, storage access controls. Cloud misconfigurations are the most common finding in technical audits of Nigerian startups.
- Encryption: TLS versions and cipher suites, certificate management, data-at-rest encryption, key management procedures, cryptographic algorithm strength.
Operational audit assessments
- Incident response: Does an incident response plan exist? Has it been tested (tabletop exercise or simulation) within the past 12 months? Does the team know their roles? Is the escalation chain documented and current?
- Change management: Are system changes documented, reviewed, and approved before implementation? Is there a rollback procedure? Are changes tested in a staging environment before production deployment?
- Vendor management: Are third-party vendors assessed for security before onboarding? Are vendor access permissions reviewed regularly? Do vendor contracts include security requirements and right-to-audit clauses?
- Security awareness: Do employees receive security awareness training? How often? Is it tracked? Are phishing simulation results measured and improving over time?
- Business continuity: Does a business continuity plan exist? Has it been tested? Are recovery time objectives (RTO) and recovery point objectives (RPO) defined and achievable?
How to prepare for a cybersecurity audit
Audit preparation determines whether your assessment takes 3 weeks or 8 weeks. Companies that prepare well spend less time, less money, and receive fewer surprises.
1. Document inventory
Collect and organise all security-relevant documentation before the audit begins. This includes: security policies and procedures, network diagrams, system architecture documents, data flow maps, asset inventories, previous audit reports and remediation evidence, access control matrices, and vendor contracts. If documentation does not exist, acknowledge this upfront - the auditor will discover the gap regardless.
2. Access provisioning
Prepare the access the audit team will need: read-only access to cloud consoles, network diagrams, firewall configurations, system configurations, and log aggregation platforms. For technical audits, prepare credentials for a test environment that mirrors production. Pre-approved access avoids weeks of back-and-forth that stretches timelines and costs.
3. Team availability
Auditors need to interview key personnel: the CTO or VP Engineering, the head of IT/infrastructure, the DevOps or SRE lead, the compliance or legal lead, and at least two senior engineers who understand the production systems. Block time in their calendars during the audit window. Scheduling conflicts are the second most common cause of audit delays (after access provisioning).
4. Self-assessment
Before the external auditors arrive, conduct an internal self-assessment against the applicable framework. Review your policies - are they current? Check your access controls - are there dormant accounts? Verify your logging - are logs actually being collected and retained? The self-assessment identifies easy fixes you can implement before the audit, improving your results without increasing your audit spend.
Timeline and cost expectations
Audit timelines and costs vary significantly based on scope, company size, and the regulatory frameworks being assessed.
Compliance-focused audit
Scope: Single framework (CBN CSAT, NDPA, or PCI DSS SAQ). Timeline: 2-3 weeks. Cost: ₦2 million - ₦5 million. Best for: Companies needing to address a specific regulatory requirement or preparing for a regulatory examination.
Comprehensive audit
Scope: Compliance + technical + operational assessment against multiple frameworks. Timeline: 4-6 weeks. Cost: ₦5 million - ₦12 million. Best for: Mid-sized fintechs, companies seeking ISO 27001 certification readiness, or organisations responding to enterprise client security questionnaires.
Full audit + pentest programme
Scope: All three audit types plus penetration testing and social engineering. Timeline: 6-8 weeks. Cost: ₦10 million - ₦20 million. Best for: Established financial institutions, companies preparing for investor due diligence, or organisations responding to a security incident.
These cost ranges reflect the Nigerian market in 2026 for qualified security firms. Significantly cheaper options exist but typically involve automated scanning repackaged as "audits" - a practice that produces compliance documentation of questionable value. See our analysis of cheap vulnerability scans vs real penetration tests for why this distinction matters.
What to do with audit findings
An audit that produces findings you never address is a waste of money - and creates legal liability. If a breach occurs and your auditor's report shows you knew about the vulnerability and did not fix it, that document becomes evidence of negligence.
Prioritisation matrix
- Critical (fix within 48 hours): Findings that enable immediate, unauthenticated access to sensitive systems or data. Examples: exposed databases, default administrative credentials, missing authentication on payment endpoints.
- High (fix within 2 weeks): Findings that enable authenticated attackers to escalate privileges, access other users' data, or bypass security controls. Examples: broken object-level authorization, JWT implementation flaws, missing input validation on critical endpoints.
- Medium (fix within 30 days): Findings that weaken your security posture but require additional conditions to exploit. Examples: outdated TLS versions, missing security headers, overly verbose error messages.
- Low (fix within 90 days): Findings that represent best-practice gaps with limited immediate exploitability. Examples: missing HSTS preloading, cookie attribute issues, informational disclosures.
Remediation planning
Assign each finding to a specific team member with a clear deadline. Track remediation in your existing project management system - Jira, Linear, Asana - not in a separate spreadsheet that nobody checks. Schedule a remediation review meeting 30 days after the audit to assess progress on Critical and High items. Consider a verification retest after remediation to confirm the fixes work.
How Simpa Labs delivers audit-ready security assessments
We structure our security assessments to produce deliverables that serve dual purposes: actionable technical findings your engineering team can implement, and compliance-ready documentation that satisfies regulatory requirements.
- Framework-mapped findings: Every finding is mapped to the specific CBN CSAT domain, NDPA section, or PCI DSS requirement it relates to. This mapping connects technical vulnerabilities to regulatory obligations, making remediation prioritisation straightforward.
- Executive and technical reports: Separate reports for different audiences. The executive summary serves your board and regulators. The technical report serves your engineering team. Both are delivered for every engagement.
- Remediation verification: After your team addresses the findings, we offer a verification retest to confirm the fixes are implemented correctly. The clean retest report becomes your strongest evidence of compliance.
- Ongoing advisory: For companies on continuous assessment programmes, we provide ongoing advisory access - your team can consult with our engineers during remediation, and we conduct quarterly rechecks to verify sustained compliance.
Need a cybersecurity audit that satisfies CBN, NDPA, and PCI DSS requirements while also delivering actionable security improvements? We scope every engagement individually.
Discuss Your Audit NeedsRelated reading
Blog: CBN CSAT Guide · NDPA vs NDPR: What Changed · PCI DSS Compliance Guide Nigeria · How to Choose a Pentest Company
Guides: CBN Compliance Guide · ISO 27001 for Fintech Nigeria · PCI DSS for Fintech Nigeria
Services: Penetration Testing · Vulnerability Assessment · Digital Banking Security
Frequently asked questions
Is a cybersecurity audit mandatory in Nigeria?
For CBN-licensed financial institutions, yes. The CBN Risk-Based Cybersecurity Framework mandates regular cybersecurity assessments including the Cybersecurity Self-Assessment Tool (CSAT) submission. For companies processing personal data, the NDPA requires 'appropriate technical and organisational measures' - which regulators interpret to include regular security assessments. While 'audit' is not always the specific word used, the requirement for regular, documented security evaluation is clear across multiple Nigerian regulatory frameworks.
How often should a Nigerian company conduct a cybersecurity audit?
CBN-regulated institutions should conduct comprehensive audits annually, with continuous monitoring and quarterly vulnerability assessments. NDPA compliance benefits from annual reviews at minimum. Plus, you should conduct targeted assessments after any significant system change, security incident, or before major product launches. Many Nigerian fintechs are moving toward continuous assessment models rather than annual point-in-time audits.
What is the difference between a cybersecurity audit and a penetration test?
An audit checks if controls exist and conform to standards - do you have a firewall? Is it configured per policy? Are access logs retained for the required period? A penetration test checks if controls actually work - can we bypass the firewall? Can we escalate privileges despite your access controls? Audits verify compliance; pentests verify effectiveness. Most organisations need both.
Can I use the same firm for audit and penetration testing?
Yes, and there are advantages to doing so - the firm gains a comprehensive understanding of your security posture and can provide more contextual recommendations. However, for regulatory audits (like PCI DSS QSA assessments), independence requirements may mandate separate firms for the audit and the remediation work. For internal security improvement purposes, using one firm for both audit and pentest is efficient and common.