Brandie Tarvin (10/3/2007)
None of the local department ITS support groups in my workplace have actually been asked for Active Directory or Windows Groups lists. Usually, the auditors go to the ITS group that manages Active Directory. I don't know if these people are a part of our Server Admin team or have their own "AD Team" collection, but in my experience, they are the ones the auditors contact when wanting a list of all the users associated with specific Windows Groups.
forgotten to comment on this part.
depends how many years did your company go through and how exactly the auditors can match database logins and groups no matter when are they coming from with the job responsibilities of particular individuals. On 3-rd year and so on you may expect a bit smarter auditors. Does not mean you can not let the auditors to discover the security problems already known or new ones... (make it a little bit difficult to put all the ends together and give the info from different departments is one of the ways to do it, buys you some time because it takes time to analyze the data)