One of the outcomes of the banking crisis was awareness that the regulator had been a watch dog that didn't bark, let alone bite. There was an all-to-cosy relationship between the regulated and the regulator.
The old watchdog was put down and the new watchdog was very keen to show it had teeth and that they worked. I don't know if the situation has slumped back into the old status quo. What I do know is that security is a topic where you have to be continually ratcheting up your capability. A toothless auditor is no help. Yes, an audit can be a painful process, but if it was easy I'd be worried.
My thoughts are that an organisation shouldn't wait until the end of the year and sit quaking in fear at the sound of the auditors tread. Some form of continuous improvement process needs to be in place which includes a RAID log.