From my experience, you're the exception, not the norm.
Many audits and compliance frameworks have so many loopholes and DIY rulings that basically anything is possible and acceptable as long as whatever you're doing is written beforehand.
Well, I'm not talking about everything, or the high level picture.
But I was checking what were called "IT controls" for their systems and a lot of that stuff was straight forward and yes, it did involve some rubber stamping, but a lot of it made sense: "Do you have a written approval process for adding users to this sensitive system?". "Can you show us how you mitigate not having a written process?".
And it wasn't super rare that besides the fact they didn't have the thing I asked for, but sometimes I couldn't even get them to understand why it would be a good idea.
Many audits and compliance frameworks have so many loopholes and DIY rulings that basically anything is possible and acceptable as long as whatever you're doing is written beforehand.