At the other end of the table
Lately I see things happening close by that put certain things in perspective. Compliance, regulations and operating procedures exist for a reason. Take a look at security in general: holding the hand rail while walking up the stairs might seem trivial to one, but for those that have witnessed or saw an accident happen close by think otherwise. Those policies always exist for a reason, in this case a very important one named personal safety.>
Talking to the external auditor
I've been an auditor for some years and in my current position I very much enjoy being on the other end of the table ;) I have witnessed the external auditor visiting us for getting our ISAE4302 Type I/II statement. I was able to 'help' reduce our compliancy efforts by stating the fact that our external service provider already has an ISO27001 certification over certain services which limits the control objectives that we need to cover through our own testing. We could directly benefit from having knowledge in the audit and compliance area. I would recommend any person that has to do with external audit related compliance, to perform an audit themselves or regularly read related materials.
Complying with customer policy
We are contracted as part of our implementations at customer sites and as such we have to comply with their regulations and on-site policy for security, laptop use, network connections etc. We as consultants on GRC related subjects should specifically be aware of such limitations, although our primary objective during our implementation is completing our projects goals on-time, on-budget and to the satisfaction of our customers. This duality sometimes makes it difficult to 'choose' between good or bad.
We find ourselves in situations where you have to choose between violating corporate policy and completing the objective within its limitations. It might be 'small' things like holding handrails while climbing stairs or using disinfectant after using the gents; but it can also be more important such as not using remote desktop access to the BWise environment (which runs on the customers network) without visual presence by someone from the IT department of the customer (since it might contain confidential information).
What is your guideline to choose? Leaving it to the customer and posing the dilemma to them to make a decision might seem the right answer. Although not in all cases will they be able to provide you with the right answers. The people we directly communicate with might have goals for themselves (they might be the same as ours or not) that makes them decide to still violate corporate policy because they too have to manage the project on time and within budget. Everyone is human in the end and you have to make these difficult choices for yourself. Having been an auditor, it suddenly puts things in a different perspective. It is not always a matter of good or wrong (by just looking at policy); there is always more to it that makes it 'understandable'. It doesn't make it right since the auditor should be as objective as possible but it does give you a more understanding attitude. There are good reasons for the existence of policies and procedures but there is always a thin grey line in between which is left to everyone's own discretion.