I totally agree that companies should have processes in place that keep them audit-worthy (not to mention more secure in general) at all times. My group is partly there - in SQL Server, we are pretty much always audit ready. I haven't been able to understand why our Oracle environments aren't. It's utter chaos for weeks leading up to an audit every single time.

And how reliable are those audit results, anyway? The audits should be looking at day to day processes, not giving people a heads-up weeks or months in advance to get themselves up to standard when they're lagging behind the rest of the year.