In the title of the question - the question, in the text - the task. Do not do it this way.
There are many difficulties themselves: depending on what is the subject of the audit, it can be a complex business process, employees' workplaces, and technological, server rooms, or maybe a comprehensive audit, where there are continuous difficulties.
The biggest difficulty and problem in auditing is the people, in management and in the field.
On your assignment, read the ISACA documents, there are detailed methods and recommendations from which you can get more examples for yourself.

"... security audit of information systems"
Specify plz - Audit of information security of companies, or all the same Audit of information security of individual IS?
If the former then
Difficulty #1 is the lack of a coherent Information Security Program/Policy (ISP) in the company.
because it should describe exactly what the Auditors should actually Check, and what is expected to be obtained as a result.
Without a PIB, auditors become Penetration Testers. Like "I don't know where to go, find some kind of XXX vulnerability - I don't know what (we don't care, just to report)".
Difficulty number 2 - lack of support / understanding of the company's top management in matters of information security in the first place, in matters of audit - in the second place.
Read a book for example
Vladimirov, A., Gavrilenko, K., and Michajlowski, A. Assessment Information Security: Strategies, Tactics, Logic and Framework IT Governance, Cambs, GBR.