As cybersecurity practitioner, you might need to assist asset owner or end user to deal with auditor (or security assessor).
The Good auditors are able to pick discrepancy of your operation against the “policies” (written directives, procedures or instructions document) down to minute details. They regard these are the yardstick (“so it shall be written, so it shall be done”) for a yes or no compliance tolerance without looking at other compensating controls. Every change or review execution needs documented evidence (name, date, signed approval, next review date etc.). How these documents are effectively managed isn’t the focus even though it will create many unnecessary overheads or even the trustworthiness of the documents.
The Great auditors make a step further. They will give further thoughts if the written “policies” have gaps with best practices or practically achievable; recommend both written (documents) and execution improvement. E.g. make reference to revised password setting per NIST SP-800-63-3.
The cybersecurity practitioners need to keep abreast of latest industry practices and realign the organization policies as part of the governance process.