legacy information system analysis for an audit

[hannibal blog <hannibalsec () gmail com>]

hello list

For my end of studies project, I have to do an IS security audit in a
public organisation.
I'm in the first step, trying to understand their IS
I prepared a report whith the following sections:

> IS Overview
> Human ressources
> Remote sites inventory (about 30 remote sites!!)
> Applications inventory
> > > Business applications
> > > General support applications
> Servers inventory
> Internetworking devices inventory (routers & firewall)
> Switches/hubs inventory
> Interconnexions inventory
> Network architecture

what do u think.
Did I forget an important thing?
Any advices are welcome.
-- 
----------------------------------
My security audit blog
http://hannibalsec.blogspot.com