So I had a question regarding audits making one secure. The question related to my article and post here Security Testing for Your SMB: What You Need to Know.
I will stick to my arena of experience in cyber with regard to ITSM and policy. Audits are good at pointing out flaws in your controls and compliance with regulations and standards.
However, in my experience, most audits are "gamed". Meaning organizations know they are coming, burn the midnight oil, and jump through the hoops to prepare for them, all because they weren't following policy and process, or don't have them in place at all.
What's your experience with audits of IT organizations?
GET IN EARLY!