Difficulties in conducting an information security audit in an enterprise