some audits, like Visa PCI don't care too much about your policies (well this is a qualified statement, merchant PCI is one thing and service provider PCI is a different beast all together). While they will test that you are indeed meeting your own policies a lot of audits will go outside of that scope. When I was working in the financial world the FDIC and Visa would regularly conduct their /own/ audits of us that had little or nothing at all to do with the mechanisms that we had in place already.

One little snafu I recall is that we were encrypting data sent from our application servers to our database servers but we had a "weak" key management system in place. We were following our own policies which were fine for stuff like SAS70 audits, internal audits, etc, but when Visa hit it they weren't too pleased with it. They required us to use HSMs to secure the keys.

So while were were good based on our own baseline, and previous audits, we were dinged pretty hard by an external audit that wasn't testing our policy but /their/ own policy against us. A lot of gov't auditing is the exact same way.

Oh and fwiw Visa gave us no heads up as to what to expect from their audit. Trying to get info as to the audit requirements for Visa PCI is like pulling eye teeth, unless you know the "right" people.