InfoSec Auditing
When I read about governments doing infosec audits, I always wonder if they are the insurance company tick-box-style audits.
You know:
[ ] Enforces-complex-passwords and minimum password length
[ ] Admins must have "peon-level" account to do ordinary biz on, not just root/Administrator-level accounts
(Etc.)
... but can still pass the audit when passwords are sticky-note attached to monitors, bottoms of keyboards, etc.