I'm not an auditor, but here's what I've come to understand:
One thing to keep in mind when it comes to regulations like SOX and HIPAA is that, although they are the law, they are very vague when it comes to details on how exactly to accomplish certain goals. The frameworks are sets of guidelines that are not set in stone or required by law. So what most companies do is pick and choose from each one and make a policy that suits their business. Once they have their own in written form, that becomes the baseline they use for dealing with audits.
Here's an example that will make your head spin. For lack of a good analogy, let's just use a numbering system with 100 being perfect. If Company A sets their goal as 75 but only reach 65 while Comapny B sets their goal at 45 and attains 50, who passes an audit?
Since Company A has an overall higher score, one would think Company A did better in their audit. Not so. Company A would fail while Company B would pass with flying volors. It's all based on the goals you set for yourself. It's almost like having to choose wireless plans with the right amount of minutes.
Then again, this is a maturing field, and I'm sure wrinkles will be worked out eventually. At least it has us all thinking about security, and that's a good thing. So, although clearly not a perfect system, it's better than nothing.
PS - Please correct me if I'm wrong.
CISSP, MCSE, CSTA, Security+ SME