ABSTRACT
The security professional and the auditor come together around one topic: control. The two professionals
may not agree with the methods used to establish control, but their concerns are related. The security
professional is there to evaluate the situation, identify the risks and exposures, recommend solutions, and
implement corrective actions to reduce the risk. The auditor also evaluates risk, but the primary role is to
evaluate the controls implemented by the security professional. This role often puts the security
professional and the auditor at odds, but this does not need to be the case.