Audits are fun things. I have been sitting in on parts of an audit to meet government requirements for the past two weeks and it has reinforced that I don't really want to go over to that side of the fence.
In some ways, it is funny watching the process, as some auditors find ways to make black and white rules to evaluate somewhat vague requirements. I had thought PCI requirements were vague at one point, but these have even more areas where they could use clarity. At least we have the auditor's notes version with the PCI standard, but these were missing even that.
It does demonstrate that sometimes such audits are needed to get the necessary pressure to do all the right things. Getting strong security in place is a big challenge in many areas. No one wants to be insecure, but people often don't realize it until they have the shortcomings put forth so clearly.
An unfortunate part of this is that the requirements being evaluated are not always clear. While auditors deal with the black and white I mentioned above, the requirements don't always clarify exactly what should be covered by the audit, no matter how much the auditor may want it to be cut and dried.
It is ironic that I plan on achieving my GIAC GSE-Complaince in light of this, but I still plan on pursing that. Hopefully having some solid audit knowledge will help me be an even stronger information security professional.