The findings and report are quickly modified before the internal auditors or officers can read them, or buried as deep and fast as possible.

In one recent case I've been told about, internal legal counsel reviewed security audit findings before relaying them to the company officers, specifically so that the report would be protected communications and not discoverable if the company was sued. It's dishonest and counterproductive -- and, yes, childish -- behavior.

But in the bigger picture, it's one of those misrepresentations that requires more and bigger lies to sustain it as time goes on, growing eventually from a bump in the IT road to a quagmire of legal and financial woes.

Assuming the assessor is competent and the findings are real, why should anyone be punished for discovering flaws?

Many security problems are caused by a mismatch of security controls, or through completely innocent mistakes.