Re: analysis paralysis
I'm all for independent auditors, but I've come across my share of corrupt and/or incompetent auditors. Example: web event registration application that used /errorlog.txt to record every possible piece of information, including credit card number, expiration date, cardholder name, and CVV-code. The PCI-DSS auditor (independent fairly well-known company) signed off on it.
Also, in my entire IT-career (going back to the 90s) I have NEVER seen an auditor asking the grunts any questions. In my experience the average admin/engineer knows about a bunch of issues, but they never get cataloged formally. Even communicating them up the chain tends to do nothing more than making oneself hated across all tiers in the company.