Ola:

First - thanks for the reply catch. I appreciate the information.

Next,

If you think that is enough. Most organizations I've worked with have their pen testing tasks broken apart in a manner that no single auditor can gain enough information to compromise the system. Only the director receives the full report, which is generated by at least two project managers depending on the level of security required.
Were those organizations and auditors you worked with internal or external auditors - (we are internal)? Also - and I am just trying to understand - but what would project managers be involved on an audit?

Also,

That aside, I think a hacker methodology is a bad approach. People just think it sounds cool.
Just FYI - I and our department are not trying to "sound cool" or anything like that - that is just what I was taught through the class from Foundstone, and although it is a "hacker's methodology" one of the objectives of the class was to conduct pentration assessments and how to address those vulnerabilities.

The steps you mentioned to remove - good suggestions - I think I will change those steps into on, simply to "Auditee Information Collection" or something like that - as we have the responsibility to get the information via survey and or meeting with the auditee in the first place.

edit

Sorry - forgot to post this - it looks like it follow what you were talking about - I am going to read through it more and adapt our strategy from it and your suggestions.

http://www.sans.org/rr/whitepapers/auditing/67.php

/edit

Gracias.