The staff at the SANS Internet Storm Center has put together a good brief piece on how to prepare for and go through an outside IT audit. The philosophy is basically: work with the auditors rather than against them in order to get the maximum value from the process.
Johannes Ulrich discusses it and adds some good comment in the Aug. 17 podcast.
Someone also left a great comment with the article: if the auditors find problems, you can always use them as leverage to get more budget.
The SANS Institute, in Bethesda, Md., provides information security training, certification and research. Its Storm Center is a cooperative venture in which volunteer members share intrusion detection information to spot and analyze worms and other fast-moving malicious software.