These activities can be carried out as a separate activity or as part of an internal audit. If the organization creates an information security objective related to data being compromised, the organization should have some kind of monitoring system in place. Simply auditing your system would not keep the organization’s data safe.