Internal and external audits are a necessary evil for the ACME IT shop. During the past three or four years they've become more common and now require more information. Although they're about as welcome as dental surgery, we've learned to survive them--and learn from them. For those of you blissfully unaware of these dealings, you should be sacrificing old routers and 10-Mbps hubs in thanks to the gods of networking.
In our experience, the information required in an audit falls into three categories: policies, documentation and log files.
On the policy front, auditors want copies of password policies, helpdesk operations, backup procedures, security policies and more. They've also asked for policies on things we hadn't thought were necessary so never wrote down--which means every once in awhile I've created simple policies on the fly in response to auditor questions.
Documentation requirements are legion. Auditors will want good high-level network diagrams, systems inventory, org charts and even job descriptions of key staff. They'll want your strategic plan and IT budget info. They will even ask for copies of agreements with major service providers. And, of course, they will want your disaster-recovery plan and most recent test results.
As for logs, they'll want files from pretty much every device or system in your network.