An organization that takes security seriously will have a solid policy on virus-scanning software, especially in light of recent events when viruses such as the Goner virus and Nimda worm have affected Web servers and mailing services so badly.
The policy will ensure that all PCs that access the network have virus software installed and activated to update regularly (how regularly depends upon the organization's deemed risk). If a system ever has virus scanning disabled, the whole system must be scanned again before it reconnects to the network. Furthermore, file servers and Web servers (and any other hardware connected to the network) should have virus-scanning software installed.
Any auditor who finds that a company does not have such a policy should recommend strongly that the company adopt one. It is important also to ensure that the company is aware that Microsoft operating systems are not the only ones to be hit by viruses.
For further information on viruses and the risks involved, see http://hq.mcafeeasap.com/topviruses.asp.