Comment Re:that assumes that "security audits" are worthwh (Score 1) 80
"Security audits are only worthwhile if the company being audited is actually serious about security in the first place".
I guess what matters is who holds the 'purse strings". When I observe a non-compliant issue and report it to my client, most of the time my client calls for a secondary audit. It's rare to see the same issue on the secondary. The audits I've done where I observe the same non-compliance are rarely retained by my clients.
My clients hold the "purse strings" and will accept an "anomaly", "error" or an explainable exception, but they won't deviate from agreed compliance with their clients.