An information security auditing and incident investigation method can include applying a correlation template to query different audit targets in an enterprise system to provide a complete result set for the query across different audit targets, receiving audit data provided in response to the query and rendering the audit data to produce an audit report. The applying step can include distributing one or more distributed audit and response tools to each of the targets in the enterprise and communicating with the targets in the enterprise to acquire audit data from each of the targets. The receiving step can include organizing the audit data in a hierarchy, and recursively walking the hierarchy as a directed, cyclic graph noting memberships and paths. Finally, the rendering step can include generating a graphical visualization interface, disposing a real-time object browser within the interface, and further disposing a differential report in the interface.