Comment by teilo

A good auditor will do exactly that: audit the evidence to certify compliance with the documented controls. It is not their job to specify controls, unless the controls are specifically called out in the standard against which they are auditing. They can flag controls that do not meet the standard, but they cannot specify what those controls must be.

However, a good auditor should also make recommendations on how to improve controls without holding the threat of a qualified report over your head if you don't comply.

So while I agree that they do not have to be a domain expert to do the bare minimum, such audits that they can provide are not especially useful in the long run. I want the value add of recommendations from a domain expert. This, however, is not that common.

Worse are the guys that think they have a badge. Their position has gone to their heads, and they are a nightmare to work with. I hate having to school these guys that it is not their job to demand specific controls (in the case of SOC2 for example), but to compare the controls in place to the standard, and verify that they are indeed in place. Unfortunately, all these guys work for accounting firms, and their bosses are generally clueless, so the "cyber guy" runs rampant. Some auditors need an audit.