From the blog:
"Here are some factors they may examine:
- Can they sample similar systems?
- Will they rely on third-party reports?
- Do they need to inspect the security of every application?
- Will you need to give them copies of sensitive data for their work papers?
- Who will send the final report to the acquirer or card brand?"
As you would expect from a blog dedicated to PCI DSS, the information Michael discusses is in the context of a PCI compliance audit. But many of the factors and considerations are used by information security auditors across the board regardless of their 'faith'. If you're expecting an audit soon, it's a great quick read that provides some insight into the process.