Cheers mate, Thank you for commenting.
Before we start an audit, it’s a little bit different to an Accounting Audit — which is to be reported to SEC and is regulated by Government hence strict rules must be followed.
With a Security / Cyber Forensics Audit; it’s Two different categories.
Internally Requested, The Company wishes to establish the security of the network and system — hence protect against Data Breach.
Externally Requested, Usually in the event of a Lawsuit or a Legal proceeding which requires evidence to be recovered from Servers / Computers.
In this particular case, it was an Internal Audit — and the company is not Publicly Listed (Meaning they have a right to privacy, rather than a public company where this information would be disclosed to the appropriate authorities). To establish legitimacy and code of conduct, in the event of an Internal Audit, the firm signs a legally binding confidentiality agreement; hence the information is pretty much exactly like a Lawyer and Client relationship would be.
In the Audit report, if and when we do discover inappropriate content not relating to work — as a matter of privacy, it’s not directly referenced in the Audit Report but instead a separate document is prepared usually named “Inconsistent / Systems Violation / Inappropriate use of Office Equipment”, something along those lines. The priority is to not disclose the matter to other employees and minimise the information disclosed; so as the matter is handled internally by the management. After reporting, it is up to the Company to handle the matter — and if they wish to take action.
In this case, I believe the individual would have received a warning from HR and since it had not compromised System Security, it was not mentioned as a Breach of Security, but rather as “Inappropriate System Use *Details disclosed confidentially*” Incase some one else reads the report, they’ll have to go through proper channels of the management’s hierarchy to uncover the exact details.
Also the individual is not usually mentioned by name, instead the system in use is mentioned — usually the company is made aware of the individual who was assigned the particular system,
In case of Mobile Phones or other assets issued by a company, the company may reserve the right to monitor the company assets issued being used outside the work place. Example, if one takes a laptop home but uses it to work on a thesis or watch Netflix.
Hope that helps. :)