We currently reviewing our vendors scope of work in relations to IT auditing. Several questions have arisen which I need other professional input to form a solid conclusion. Here are my questions: Servers that have no direct impact on customers and only contain users files should be audited with Nessus every <x>? Servers that hold customer information and possibly payment information should be audited with Nessus every <x>? Exchange server should be audited with Nessus every <x>? All help in this matter is greatly appreciated!