The pain points I see most often are related to not having enough information. If you don’t have the proper tools and visibility into your network, it’s going to be very difficult to truly assess where things stand.
Another common gotcha with compliance audits is that they’re vastly different from IT security assessments. You need to do both. I explain why our overdependence on “audits” can be bad for business in the following pieces:
Our dangerous overdependence on information technology audits
Why do so many people buy into “checklist” audits?