Information systems audits might examine many aspects of your IT system.  This is not a compliance audit (that’s in ISO 27001 not ISO 27002),but a more technical audit. Are the users working with the correct privileges? Is the infrastructure stable and reliable?  Do you have it have sufficient capacity (memory, processing, storage, bandwidth)  Are the associated business and information risks within acceptable tolerances for risk appetite?  How could it be improved?  How thoroughly was it tested? How effective are the maintenance, monitoring and management activities?  What do users of the system make of it? Many other questions could be asked and this could also be a preventative action for remediation work – rather than what did the bad user do before we had the incident, but what are the users doing which may mean we will have an incident?

Clarifying which angles are of particular interest to the stakeholders of a systems audit, and which are not, is the main function of the scoping phase at the start of the audit, since in practice it is so open-ended that the audit could become a huge task that reduces its own value, wasting an enormous effort on things that are of little concern.

System audits should be logged, read only and agreed with management in advance. Audits should be planned to minimise any disruption to users.