If an organization already has its IT security baseline defined you need to see if it is sufficient for the level of data present. You need to check its sufficiency. The auditor should evaluate the minimum baseline security that is required by the IT business. He should include the level of controls and the data in the estimate.
Once he has a value that is sufficient for the level of controls present he can then figure out if the present IT security baseline is up to the mark. After that he needs to document, implement and check the compliance to make sure that everything is in order.