Sweet, sweet audit.

From osiris maillist:
"We are currently using Osiris to monitor Linux and Windows servers. We have an auditor that is stating that our 'File integrity monitoring is not appropriately configured'. However, we believe that we are 'appropriately' monitoring the correct files. He means that he doesn't believe that we are monitoring all of the proper files on our servers, that we are leaving important files unmonitored"

Unfortunately security auditors work usually based on "expert opinion", which have no fundamental base. So audit report is only opinion of one person without enough experience.