Audit results are taken very seriously by companies operating in heavily regulated industries that intend to stay in business, so healthcare, finance, insurance etc.
If you are a team lead doing programming for one of these sorts of companies and the auditors come round with some findings, I promise you that you need to take it deadly seriously. I've seen engineers fired for cause by the board of directors of a fortune 500 for failing to do so. Word gets around and nobody will touch them after that. Its literally career ending to poo poo audits.
Tech companies are the odd man out when it comes to audits, which is why its possible for so many in a thread like this to have opinions that are so wildly inconsistent with reality. Who knows how much longer that will last, particularly with advances in AI.
It means delaying or coming up with excuses for why you can't have security concerns remediated within the agreed upon time frame. Regardless of the technical challenges involved.
Audit remediations are not the kind of projects where delays are acceptable. You absolutely must drop everything else you've got going on in those situations if you even remotely get a hint that the project might be behind.
The reason here is that your boss and your bosses' boss can't save you. If bad audit results come back you can bet the C suite had an emergency meeting discussing how to explain them to the board and the timeframe for getting them fixed. And you can bet they made some sort of commitment.
There are hundreds of millions to billions of dollars on the line in insurance premiums and future legal process in some cases. Oftentimes cyber insurance will mandate some kind of timeframe for remediation upon notification of a security issue. So you'll get hit with penalties well before the next audit if you delay. You don't want to be the programmer(s) that missed a deadline there.
If you are a team lead doing programming for one of these sorts of companies and the auditors come round with some findings, I promise you that you need to take it deadly seriously. I've seen engineers fired for cause by the board of directors of a fortune 500 for failing to do so. Word gets around and nobody will touch them after that. Its literally career ending to poo poo audits.
Tech companies are the odd man out when it comes to audits, which is why its possible for so many in a thread like this to have opinions that are so wildly inconsistent with reality. Who knows how much longer that will last, particularly with advances in AI.