Abstract
Much of the audit literature focuses on Fortune 1000 con-trol and infrastructure issues. As a result, IT reviews of small firms or branch offices of larger firms sometimes inappropriately retrofit large-scale control and security practices onto small office IT architectures. This article outlines a broad spectrum of practices that are practical for the office or plant with 10 to 50 employees. By focusing on size-appropriate practices, the auditor can more effectively promote day-to-day security and operational efficiency for these organizations.