[p_l]

Major problem of entire compliance/auditing industry is not enough asking in companies "what are the actual risks we are dealing with", "what's the goal for given control", "do we have alternative control ensuring that".

Compounded by cheap shitty auditors that just mark down checkboxes on a worksheet

[apimade]

Agree, see the Delve fiasco. But that’s not their job. Their job is literally checkbox. However some audits are so poorly done, or have auditors with zero real world engineering or cyber experience, they’re actively harmful to a product or customer base.

Example: insane, complex password policies and password rotation policies. These are still pushed by auditors rather than trying to build a reasonable exception case with the client.

[p_l]

I was thinking more of audits that do not even allow deviation nor have any understanding what they are asking for each checkbox. So it's hard to even start on anything nuanced.