I completely disagree. If you are doing work for Visa, then they should tell you what they expect from the get go. The purpose of an audit is to make sure you are following policies or to correct problems in the policy. It isn't to try and suprise you with things you never thought about.

We do a lot of work with american express. Every system that has anything to do with american express follows our corporate security policy as well as the specific machine policies that were created for those machines by our corporate security department and some security people from AMEX. When they are audited they use the agreed upon security policy. Nothing else. Our policies, as most should, even define how the audits will be conducted.

Security practices should be followed closely every day, especially when you are working with sensitive data.
And without a complete policy how do you do that? Just go on the best effort of the administrators? I don't think so.

Everytime I have ever worked with a government agency or any type of financial firm their security policies were always made very clear from the start. I can think of one audit where we were dinged for several items that were added by our customer to their security policy. When the final report came out as to why we were not following that particular piece of the policy the blaim, and subsequent corrections, were made to their communication process. They had never ok'ed those changes with our security organization, and they never told us.