- Trying to find everything is often a mistake
- Auditing is never about catching people doing things wrong
- The primary role of an auditor is to measure and report on risk to the business and business objectives
I really like the last one. It's perfect to remind those auditors that work with that checklist mindset and don't understand that sometimes a non-ticked box doesn't necessarily translate into risks or goes against business objectives. If they could take only one of these tips with them, this one is the most important. The job of security professionals would be quite easier if we could work with auditors that understand that.