A good IT Auditor should be able to explain what controls are in-scope, and why, prior to the start of
testing. With 99% of my interviewees, this is enough to get them on board and most are very receptive to
the controls (emphasis in original)….
So long as they're clear on what I'm testing and why, they are not defensive.