Exactly. Auditors seek evidence that you have valid procedures. Depending on the audit, they may not seek evidence you're actually following them. Also, even though you have it documented, that doesn't mean you're doing it. That's a key point. Sometimes a pair of eyeballs and a pen test is what is needed to verify everyone is keeping the organization safe. Independent auditors are an essential part of any organization's security posture. They aren't the only part, however.
K. Brian Kelley