<<We, too, used the "file drawer" analogy when explaining our
security considerations to auditors.  Being entrusted with the users' data,
we felt that it was our sacred duty to make sure that NO unauthorized person
could even get close to the users' data let alone alter or destroy it.  We
appealed
        to common sense:  it is important to safeguard data and software; it
is also important that a legitimate user can get to his data without writing
his last will and testament every time he signs on!!  Nearly always,
however, the auditor with his "take no prisoners" attitude could win simply
by THREATENING to write a "management point.">>


Let them. More than that: encourage them to do so. It sounds like you don't
have much or any visibility to management, and this is one way (not the
best, but you work with what you have) to get some. I'm assuming that these
internal audit actions require responses, and that those responses are
reviewed by a third group that is not in either the auditor or your internal
department/group/whatever. An audit-deficiency response may be the only way
to get the real-life issues, like usability and cost, in front of the real
decision/policy makers. An intelligently-presented response, detailing all
the issues, the options, and the advantages and disadvantages of each, is
your opportunity to get/force your management to stand up, listen, and do
their job, rather than letting the audit group set de facto operating policy
through intimidation.

Steve