Re: analysis paralysis
I'm all for independent auditors, but I've come across my share of corrupt and/or incompetent auditors. Example: web event registration application that used /errorlog.txt to record every possible piece of information, including credit card number, expiration date, cardholder name, and CVV-code. The PCI-DSS auditor (independent fairly well-known company) signed off on it.
Also, in my entire IT-career (going back to the 90s) I have NEVER seen an auditor asking the grunts any questions. In my experience the average admin/engineer knows about a bunch of issues, but they never get cataloged formally. Even communicating them up the chain tends to do nothing more than making oneself hated across all tiers in the company.
Biting the hand that feeds IT
