Security audits are very important for a company and should not be taken lightly. Just like an accounting audit, it seeks to make sure that nothing is wrong. For information security, it can show a company where potential holes in the system may lie. Investors at times even require a company to show audits preformed so that they know the company isn’t lying about there own security strength. the attached link is a policy (guideline) for a company who would have an audit preformed. Every company should have something like this because then when an auditor comes in, they know what tests the audited company wants preformed.
The reason why its important to have these policies in place is because every company may need a different type of audit preformed.
“An auditing firm needs to know if this is a full-scale review of all policies, procedures, internal and external systems, networks and applications, or a limited scope review of a specific system. Smaller firms may choose not to bid on a large-scale project, and larger companies may not want to bother with a review of one system, because they’re reluctant to certify a system without looking at the entire infrastructure.” (IT security auditing: Best practices for conducting audits section 4).