The company I work net admin for (fresh out of college, so I'm far from being an expert) currently has no security auditing that takes place. Considering we're one of the top financial planning companies in the region, I think that's pretty darn scary. So, I'm trying to learn about info sec auditing and where to start, and just read an excellent tutorial that TheHorse13 wrote last year in reference to this article:

While reading that, I started thinking about how I should start assessing possible network vulnerabilties here.

So my question to you, is where would you start? You're sitting behind an employee's computer, and now you have your chance to find out whatever you can. What are you going to do first? What tools are you going to use? How are you going to go about looking for network vulnerabilities?