A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system's physical configuration and environment, software, information handling processes, and user practices. Security audits are often used to determine regulatory compliance, in the wake of legislation (such as HIPAA, the Sarbanes-Oxley Act, and the California Security Breach Information Act) that specifies how organizations must deal with information.