Remember that auditing firms make an attestation as to whether you're in compliance. That attestation is basically a statement of confidence. So, yes, it's entirely possible one firm would require something when another wouldn't if the requirement is not explicitly spelled out in the standard. For instance, way back in the day, this is how one firm we did business with got a SAS70 attestation even though they didn't patch their Windows servers. I wish I was kidding. Our auditors, on the other hand, required a detailed patch management plan along with verification that the controls were being met before they signed off each time for our SAS70 attestation. Why the difference? SAS70 was very vague and didn't have anything specific with regards to those sorts of controls.