I'm curious about something. You stated that they are an existing client and that you reviewed your policy with their audit team a few months ago. I'm wondering what kind of audit it was. The reason being, if it was a security audit, one might request documentation as to what you test so they can make sure they are complient. When we are audited on things of this nature, we obtain a copy of what we are audited on so we can make sure all our "ducks" are in a row.....I'm just wandering out loud of that.

My advice/opinion is this...if they are an existing client, you should check the contract they signed or the Statement of Work agreement between you. There should be something in there that states what they have a legal right to and what they don't. If you're still getting the run around on this, you could try legal or maybe even a hotline (some companies, depending on size, have hotlines set up to question unethical behavior. This one could very well be a question of ethics and I wouldn't want my job on the line.

Follow your gut.....it's usually right.