[a2tech]

Exactly. Its shocking how bad most audits are. The standards they're trying to enforce were obviously put in with the best intentions but instead of the spirit of the rules, the letter is being followed. When the letter of the law is being enforced by people that don't know anything about the industry or how the technology works, you get truly asinine decisions.

[raesene9]

It's an inevitable part of the way IT Audit is structured. Standards are necessarily abstract from specific systems (so don't always apply well) and updating standards is a slow process.

The auditors themselves are often tasked with reviewing a massively disparate group of systems, so there's no way they could be come subject matter experts in each one.

So the result is a checklist approach, especially as most compliance tasks are pass/fail.