I agree with what I believe the premise of the article to be. If you have to actually spend any significant time preparing for an audit beyond setting up a couple of computers for the auditors to use, then you're doing something fundamentally wrong to begin with. Most things having to do with audits just aren't rocket science and, as Steve said in the article, are things that folks should be doing anyway.

By the way, my favorite "spec" for doing things the right way is "MIL-TP-41". It's the basis of all other specs whether they be ISO, ANSI, SEC, PCI, SOX, or whatever and is applicable to all industries. It means "Make It Like The Print For Once". 😛 It doesn't suppress the ability to think outside the box or innovate or to react quickly to an emergency because "The Print" should have plans even for that.